The EU General Protection Data Regulation (GDPR) is supposed to make companies take extra care with their customers’ personal data. That includes gathering explicit consent to use information and keeping it safe from identity thieves.
WP GDPR Compliance is a plugin that allows WordPress website owners to add a checkbox to their websites. The checkbox allows visitors handing over their data to grant permission for the site owners to use it for a defined purpose, such as handling a customer order. It also allows visitors to request copies of the data that the website holds about them.
Users send these requests using admin-ajax.php, which is a file that lets browsers connect with the WordPress server. It uses Ajax, a combination of JavaScript and XML technology that creates smoother user interfaces. This system first appeared in WordPress 3.6 and allows the content management system to offer better auto-saving and revision tracking among other things.
The GDPR plugin also allows users to configure it via admin-ajax.php, and that’s where the trouble begins. Attackers can send it malicious commands, which it stores and executes. They can use this to trigger WordPress actions of their own.
Wordfence, the WordPress security firm that discovered the flaw, said that attackers were exploiting it in two ways.
In the first, attackers created administrative accounts by allowing new users to register and then alter a setting to automatically make them administrators. Then they installed a malicious plugin that infected the site with malware. Attackers were using this method to install a PHP web shell – a script that gives them remote admin capabilities on the web server, which provided them with terminal access and a file manager, Wordfence reported.
In the second exploit, attackers uploaded a series of scripted tasks that are scheduled via WP-Cron. Cron is a common task scheduling system that handles jobs on Unix systems, and WP-Cron is the way that WordPress handles scheduled tasks.
This attack, which is more complex than the first, used the e-commerce plugin WooCommerce, which is one of the plugins that WP GDPR Compliance supports. It hijacked a WooCommerce function to install another plugin called 2MB Autocode. This plugin allows administrators to inject their own PHP code into WordPress posts.
The attackers used this attack to inject a PHP backdoor script that downloaded code from another site. The 2MB Autocode plugin then deleted itself.
Wordfence couldn’t find any obvious executable payload in this attack, but said that the attackers may be building a collection of websites and biding their time:
It’s possible that these attackers are stockpiling infected hosts to be packaged and sold wholesale to another actor who has their own intentions. There’s also the chance that these attackers do have their own goals in mind, but haven’t launched that phase of the attack yet.
The plugin developers fixed the flaw after the WordPress security team removed the plugin from the WordPress directory. Since then, the WordPress team has once again made it publicly available.
However, some users were not quick enough to update their systems. One posted on the plugin’s support forum:
I was not quick enough to update and have been hit with the WP GDPR Compliance Plugin hack. Website is now down HTTP error 500.