Attackers exploit flaw in GDPR-themed WordPress plugin to hijack websites
Source: Vistar Communications for ESET Middle East , Author: Tomas Foltyn
Posted: Sat December 8, 2018 12:33 pm

UAE. Attackers have been exploiting a security weakness in a GDPR compliance plugin for WordPress to seize control of vulnerable websites, according to a blog post by Defiant, which makes Wordfence security plugins for the web publishing platform.

Importantly, the developer behind the plugin, which is called WP GDPR Compliance, has issued a patch fixing the critical flaw. Its users are, therefore, strongly advised to upgrade to version 1.4.3. Alternately, the tool may be disabled or uninstalled.

Used by more than 100,000 websites seeking compliance with the European Union’s General Data Protection Regulation (GDPR), the plugin was pulled from the WordPress plugin repository after news of the flaw broke, but was reinstated quickly with the release of the version that plugs the hole.

Two in one
If left unplugged, the privilege escalation hole enables attackers to take over impacted sites and use them for a range of further villainous actions. This is not merely a hypothetical threat, as attackers were found to have been compromising vulnerable websites for around three weeks.

In fact, the plugin was affected by two distinct bugs. However, “with potential exploits living in the same block of code and executed with the same payload, we’re treating this as a single privilege escalation vulnerability”, reads the blog post. The researchers spotted two kinds of attacks leveraging the security hole: a simpler and a more complex one.

As their follow-up blog post explains, the first – and more common – scenario involves attackers abusing the user registration system on a targeted website in order to create new administrator accounts, which then gives them carte blanche vis-à-vis the site.

As part of the malicious routine, the attackers “close the doors behind themselves” by reversing the changes in settings that let them in and by disabling user registration. This is presumably intended to avoid raising alarms and to lock out competing ne’er-do-wells. A few hours later, the attackers are back – logging in with their admin access and installing backdoors.

In the second – and perhaps more discreet – kind of attack, the malefactors leverage the bug in order to abuse WordPress’s task scheduler called WP-Cron. The long and the short of it is that they inject malicious actions into the task scheduler in order to ultimately establish persistent backdoors.

It’s unclear at this point how the attackers ultimately aim to take advantage of the hijacked websites. At any rate, the potential harmful actions run the gamut and include hosting phishing sites and spewing out spam.

Photo Caption: Tomas Foltyn, security writer at ESET

 

MIDDLE EAST BUSINESS COMMENT & ANALYSIS

date:Posted: December 10, 2018
UAE. After fantastic returns in 2017 everywhere, 2018 is a sea of red; Volatility rules, despite objective good news on the political front; Patience recommended as markets undershoot fundamentals.
date:Posted: December 10, 2018
UAE. Retail sales across four Gulf countries are projected to increase by more than US$24 billion over the next five years, according to new research from Euromonitor International; UAE's US$55 billion retail industry forecast to grow 16% by 2023.
date:Posted: December 9, 2018
UAE. When asked about their motivation for a new career, the most common reason was "to find their real passion" (57.7%), followed by “better compensation” (18.1%).
dhgate