Defiant, a security research organisation which specialises in WordPress website security, has identified a flaw in a plugin that has allowed unauthorised individuals access and alter websites.
The flaw was identified in a GDPR Compliance plugin, which was created in response to the introduction of the EU privacy laws in May 2018. The plugin allowed website owners to add a checkbox to their website for users to consent to the use of their data for specific uses, as now required by GDPR legislation. Due to the importance of GDPR, and the hefty financial penalties that organisations faced for non-compliance, it is estimated that over 100,000 organisations had installed the plugin on their WordPress sites.
Once discovered, the hackers were able to hijack the websites and modify their site settings without authorisation. The hackers were also able to register new accounts and grant them admin privileges. They then installed a malicious plugin that infected the site with malware.
The vulnerability can be remotely exploited by unauthenticated users, many of whom have automated exploitation of the vulnerability to hijack as many sites as possible before the vulnerability is corrected. Defiant researchers said that they could not identify any immediate payload for the attack, but that they may be building a network of websites which they may exploit in the future. Compromised websites may also be sold on to others who wish to use them for their own malicious purposes.
In a statement about the plugin flaw, Defiant said: “It’s possible that these attackers are stockpiling infected hosts to be packaged and sold wholesale to another actor who has their own intentions. There’s also the chance that these attackers do have their own goals in mind, but haven’t launched that phase of the attack yet.”
Researchers investigating the case have also noted that in several attacks, after exploiting the flaw the attackers have corrected the vulnerability. By closing off access to other hackers, those who originally hijacked the website do not have to face the threat of other hackers hijacking their own operation.
In some cases, after access to a vulnerable site is gained, a PHP webshell is uploaded to give the attackers full control of the website. Some attackers have added in backdoors through the WP-Cron schedule. This method of attack ensures persistence of the backdoor.
Compromised websites can be used for phishing and other scams, or the sites could have exploit kits uploaded to silently download malware onto visitors’ devices. Phishing attacks have become increasingly sophisticated in recent years. Long gone are the days of thinly veiled attempts of exploitation arriving in email inboxes. The potential payoff for a successful phishing attempt is huge. As sophisticated attacks have a higher chance of success, hackers are always on the lookout for opportunities to create a successful scam. Therefore, when a security vulnerability in a widely-used plugin was spotted, the hackers were quick to act.
After WordPress became aware that the WordPress GDPR Compliance plugin vulnerability was being actively exploited in the wild, the plugin was removed from the official WordPress store and the developer was notified. A new version of the plugin has now been released and the plugin has been reactivated on the official WordPress store. However, some websites were too late to update, and were hacked. Some of the affected websites are now down and showing HTTP error 500 (Internal Server Error).
Any website owner that has the WordPress GDPR Compliance plugin installed should ensure it is updated to version 1.4.3, which was released on November 7, 2018. Site owners should also check their sites for any sign of unauthorized changes and checks should be performed to see if any new admin accounts have been created.