WordPress Cookie Consent Plugin patched Critical Flaw that affected 700K Users
Critical bugs found in the WordPress GDPR Cookie Consent plugin used by over 700,000 websites allow potential attackers to delete and change content and inject malicious JavaScript code due to improper access controls.
The GDPR Cookie Consent plugin is designed to allow site admins to display customizable header or footer cookie banners to show their website’s EU Cookie Law (GDPR) compliance. The plugin maintained by WebToffee is also among the top 100 most popular ones in the WordPress plugins repository and is used by more than 700,000 sites according to the active installations count on its WordPress library entry.
The WordPress security firm WordFence, which also independently identified this flaw after it was patched by WebToffee, says that “the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security. Additionally, it is possible to delete or change their content. Injected content can include formatted text, local or remote images as well as hyperlinks and shortcodes.”
The vulnerability, which does not yet have a CVE number, affects GDPR Cookie Consent version 1.8.2 and below.
The other method, autosave_contant_data, is used to save GDPR cookie info page in the background while the admin is editing it, by saving the data into the cli_pg_content_data database field without validating it. This code would then be loaded and executed each time someone visits the “http://example.com/cli-policy-preview/” page.
During the last two days since the patched version was released, a little over 76,000 users have already updated their installations, with more than 600,000 still having to secure their websites from potential attacks in installing the latest release.
This vulnerability has been fixed in version 1.8.3. We recommend that users immediately update to the latest version available,” according to Wordfence.