Cybercriminals are exploiting a privilege escalation zero-day vulnerability present in WP GDPR Compliance - a WordPress plugin - that aids website owners to become GDPR complaint. The vulnerable plugin is reportedly used by more than 100,000 users and all of them are now feared to be exposed to malicious backdoor attacks.
Three weeks ago, after attackers discovered the vulnerability in the plugin, they began exploiting it to gain access to WordPress sites and install malicious backdoor scripts.
However, after multiple reports about websites being hacked surfaced on WP GDPR Compliance forums, security researchers discovered that the exploit could allow attackers to install second-stage payloads on vulnerable websites and gain complete access. The WordPress security team investigated the source of the hacks and found the vulnerable plugin on some of the hacked sites.
According to security researchers from Defiant - a company that operates Wordfence firewall plugin for WordPress sites - the malware scans revealed two primary types of exploits taking place. The first exploit allows modification of users’ registration settings. Meanwhile, the second exploit involves injecting malicious scheduled actions to be executed by WP-Cron. Both these attacks use different types of backdoor scripts, researchers said.
The attackers attempted to make the second exploitation scenario stealthier than the first one. However, they failed, as the second exploit lead to the discovery of the zero-day vulnerability. The hackers also failed to delete a 2MB autocode plugin, which caught the attention of the site’s owners and caused panic.
One of the frequent exploits that makes use of this vulnerability at present, involves attackers being able to modify arbitrary settings on vulnerable sites. By allowing new user registration and changing the default role of the new user to administrator, attackers could easily create privileged access to vulnerable websites.
The vulnerable plugin was restored to its original state just before two days after the authors' released version 1.4.3, which contained patches for the reported issues. The vulnerable plugin was removed by the WordPress security team earlier this week. Along with this patch, the team also identified and fixed several other security issues within its code, which were also believed to be the cause of the attacks.
The vulnerability was patched in the newer updated version 1.4.3. Meanwhile, all sites running version 1.4.2 and older versions are still vulnerable to this exploit. Reports suggest that the attackers are targeting a WP GDPR Compliance bug that allows them to make a call to one of the vulnerable plugin’s internal functions. This, in turn, allows attackers to change settings for both the plugin and for the entire WordPress CMS.
In some cases, the hackers appear to be stockpiling information from hacked sites, instead of trying to deploy malicious backdoors scripts, such as SEO spam, exploit kits, malware, or other kinds of malicious activities.
Researchers advised site owners to update or remove the vulnerable plugin to stay safe from attacks.
Publisher