Oh crumbs – Security flaw in WordPress GDPR cookie plugin left 700,000 sites open to abuse

Designed to aid compliance, GDPR Cookie Consent introduced a fresh set of security issues

A hugely popular WordPress plugin designed to help websites comply with EU cookie laws has been patched for a security flaw that could allow attackers to change site content and inject malicious JavaScript code.

The vulnerability found in GDPR Cookie Consent, whose 700,000-plus active installations makes it one of WordPress’ most popular plugins, was caused by inadequate access controls and affects versions 1.8.2 and below.

In a post mapping out the path to privilege escalation and authenticated stored cross-site scripting (XSS), the security researcher who discovered the bug urged users to update to the latest version (1.8.3) as soon as possible.

The researcher, NinTechNet’s Jerome Bruandet, said he discovered and reported the vulnerability to WordPress on January 28 and notified the developer on February 4.

The plugin’s developer, WebToffee, released the new version six days later, on February 10.

This site uses cookies

Retailing from $49, GDPR Cookie Consent allows web admins to make their site compliant with the EU’s General Data Protection Regulation (GDPR) by enabling a customizable cookie notice with the now all-too-familiar ‘accept’ and ‘reject’ options.

In his proof of concept, Bruandet said the ajax_policy_generator loaded by the WordPress AJAX API lacked capability checks and was not checked in the plugin’s PHP code.

Two of three values accepted for the cli_policy_generator_action input could be easily exploited by an attacker, he said.

First, the save_contentdata value allowed the administrator to save the GDPR cookie notice to the database as a page post type.

With this, a subscriber or other authenticated user could take an existing page, post or even the entire website offline by switching the post status from ‘published’ to ‘draft’.

They could also delete or inject content like formatted text, images, and hyperlinks.

Although the vulnerability required an attacker to be authenticated on the target website, ‘authenticated’ in this instance could simply mean someone who was a subscriber to the site.

The stored XSS risk, meanwhile, stemmed from the autosave_contant_data method used to save the GDPR cookie info page during editing.

Data saved within the cli_pg_content_data database was not validated, said Bruandet, opening the door to an authenticated user injecting JavaScript code, which would activate when anyone visited the ‘http://example.com/cli-policy-preview/’ page.

A CVE ID is pending for this vulnerability, which has been separately identified and analyzed by WordPress security specialists at WordFence.

At the time of writing, around 35% of GDPR Cookie Consent installations are still running on older versions vulnerable to the flaw.

The Daily Swig has contacted NinTechNet for further comment.

YOU MIGHT ALSO LIKE XSS vulnerability patched in TinyMCE