Popular Website Plugin Affects over 700,000 Sites
GDPR Cookie Consent, which helps businesses display cookie banners to show that they are compliant with EU's privacy regulation, has more than 700,000 active installations. The popular WordPress plugin, which helps make websites compliant with the General Data Protection Regulation, has issued fixes for a critical flaw. The vulnerability could enable hackers to modify content or inject malicious JavaScript code into victim websites. The plugin is installed in over 700,000 websites, making it a ripe target for hackers.
The vulnerability, which does not yet have a CVE number, affects GDPR Cookie Consent version 1.8.2 and below. The developer was notified of the critical flaw and the GDPR Cookie Consent plugin was removed from the WordPress.org plugin directory pending a review. The flaw is the result of improper access controls in an endpoint used by the WordPress plugin's AJAX API. The endpoint is the “_construct” method within the plugin, used for initializing code for newly created objects. Once actions are created they are sent via AJAX to the “_construct” method but this process fails to implement checks. Because of this, the AJAX endpoint, intended to only be accessible to administrators, also allowed subscriber-level users to perform a number of actions that can compromise the site's security. A subscriber is a user role in WordPress, usually the with very limited capabilities, including logging into the website and leaving comments.
The new version, 1.8.3, was released by Cookie Law Info, the developer behind the plugin, on Feb. 10. There were numerous code changes, but those relevant to security include a capabilities check added to an AJAX endpoint used in the plugin's administration pages. While Wordfence disclosed details of the vulnerability, it was discovered by Jerome Bruandet, a security researcher with NinTechNet.