Flaw in WordPress plugin allowed unauthorized admin access, backdoors

The flaw has been patched in the privacy-focused plugin WP GDPR Compliance, which has more than 100,000 downloads.
WordPress plugins vulnerabilities

A now-patched flaw in a popular plugin was allowing hackers to take over various WordPress sites and act as administrators, putting them in a position to cause further damage, according to Wordfence, a company that makes security software for the publishing platform.

The plugin, WP GDPR Compliance, is meant to help WordPress site owners comply with Europe’s General Data Protection Regulation by automating tasks like data access requests and data deletion requests. GDPR requires that companies give their users the option to view or delete data that pertains to them. A bug in the privacy-focused plugin was exploited in the wild, Wordfence said in a report published Thursday, allowing “unauthenticated attackers to achieve privilege escalation.”

The vulnerability allowed attackers to force affected WordPress sites to perform arbitrary actions, including installing new administrator accounts. Wordfence researchers said they also observed attackers installing backdoors, but it’s not clear what they’re intended to be used for.

“Whether an infected site is serving spam emails, hosting a phishing scam, or any other direct or indirect monetization, there’s often a clear goal identified as part of the triage process,” Wordfence said. “However, despite the rapid occurrence of these identified cases, so far our research has only turned up backdoor scripts on sites impacted by this issue.”


Not only are attackers compromising vulnerable WordPress sites, Wordfence said, but they’re also undoing the intermediary actions that let them escalate their privileges.

“This serves to help prevent other attackers from creating their own administrator accounts, as well as reducing the likelihood that a site’s administrator will notice a problem. It closes the door behind the attacker,” Wordfence’s report says.

Wordfence says it’s “critical” that users update to the latest version of the GDPR plugin, which has more than 100,000 downloads. Wordfence itself runs a free WordPress plugin that notifies users of outdated plugins, as well as paid premium services like firewalls to mitigate WordPress vulnerabilities.

Latest Podcasts