WordPress GDPR compliance plugin hacked

Share this Story:

By nakedsecurity

The EU General Protection Data Regulation (GDPR) is supposed to make companies take extra care with their customers’ personal data. That includes gathering explicit consent to use information and keeping it safe from identity thieves.

WP GDPR Compliance is a plugin that allows WordPress website owners to add a checkbox to their websites. The checkbox allows visitors handing over their data to grant permission for the site owners to use it for a defined purpose, such as handling a customer order. It also allows visitors to request copies of the data that the website holds about them.

Users send these requests using admin-ajax.php, which is a file that lets browsers connect with the WordPress server. It uses Ajax, a combination of JavaScript and XML technology that creates smoother user interfaces. This system first appeared in WordPress 3.6 and allows the content management system to offer better auto-saving and revision tracking among other things.

The GDPR plugin also allows users to configure it via admin-ajax.php, and that’s where the trouble begins. Attackers can send it malicious commands, which it stores and executes. They can use this to trigger WordPress actions of their own.

9,354 total views, 4 views today

Leave a Reply

Your e-mail address will not be published. Required fields are marked *