911 Hack Removal

GDPR Cookie Consent Plugin Vulnerable to Improper Access Controls | Update Now

Updated on: March 29, 2020

GDPR Cookie Consent Plugin Vulnerable to Improper Access Controls | Update Now

Article Summary

The WordPress GDPR cookie consent plugin, which facilitates an easy GDPR compliance for users, was found vulnerable to improper access controls. This vulnerability can lead to severe vulnerabilities such as Privilege escalation and stored XSS in a website. The GDPR cookie consent plugin is being actively used on more than 700000 WordPress websites at the time of writing this.

The WordPress GDPR cookie consent plugin, which facilitates an easy GDPR compliance for users, was found vulnerable to improper access controls. This vulnerability can lead to severe vulnerabilities such as Privilege escalation and stored XSS in a website. The GDPR cookie consent plugin is being actively used on more than 700000 WordPress websites at the time of writing this.

GDPR Cookie Consent Plugin on WordPress
GDPR Cookie Consent Plugin on WordPress

Timeline of the Vulnerability

  • Reported on – 4th Feb 2020
  • Fixed on – 10th Feb 2020
  • Affected Version – All version <=1.8.2
  • Patched Version – 1.8.3

The vulnerability was reported first to wordpress.org. Post which, the plugin was temporarily removed from the WordPress repository. WordPress lifted the ban from the plugin as soon as the patch was available on the 10th of Feb.

Anyone who is on the version <=1.8.2 can be hacked. So update to the patched version = 1.8.3 as soon as you can.

Understanding the GDPR Plugin’s Vulnerabilities

The vulnerability lies in the cli_policy_generator in the --construct method. The cli_policy_generator which is executed via WordPress AJAX API – ajax_policy_generator lacks crucial capability checks. Due to which even though a nonce code is sent over AJAX, it goes unverified in the entire PHP framework.

The ajax_policy_generator, in turn, allows three actions: autosave_contant_data, save_contentdata, and get_policy_pageid.

Two of these actions – autosave_contant_data, save_contentdata are susceptible to attacks. Whereas autosave_contant_data can lead to privilege escalation, save_contentdata can lead to a stored XSS.

Vulnerability in save_contentdata

The save_contentdata of the cli_policy_generator allows the GDPR cookie to be saved as a page post type. Exploiting which any authenticated user with permissions as low as a subscriber can change the post status. Any authenticated user can publish a post, or move a published one to draft. Or worse, move the whole website to draft causing it to crash.

public function save_contentdata()
{
   $out=array(
      'response'=>true,
      'er'=>''
   );
   $content_data=isset($_POST['content_data']) ? $_POST['content_data'] : array();
   $page_id=(int) isset($_POST['page_id']) ? $_POST['page_id']*1 : 0;
   $enable_webtofee_powered_by=(int) isset($_POST['enable_webtofee_powered_by']) ? $_POST['enable_webtofee_powered_by']*1 : 0;
   $id=wp_insert_post(
      array(
         'ID'=>$page_id, //if ID is zero it will create new page otherwise update
         'post_title'=>'Cookie Policy',
         'post_type'=>'page',
         'post_content'=>Cookie_Law_Info_Cli_Policy_Generator::generate_page_content($enable_webtofee_powered_by,$content_data,0),
         'post_status' => 'draft', //default is draft
      )
   );
   if(is_wp_error($id))
   {
      $out=array(
         'response'=>false,
         'er'=>__('Error','cookie-law-info'),
         //'er'=>$id->get_error_message(),
      );
   }else
   {
      Cookie_Law_Info_Cli_Policy_Generator::set_cookie_policy_pageid($id);
      $out['url']=get_edit_post_link($id);
   }
   return $out;
}

Vulnerability in autosave_contant_data

The autosave_constant_data saves the GDPR cookie temporarily in the cli_pg_content_data, while the admin is still editing it.

Due to missing validation checks in the cli_pg_content_data, any authenticated user can inject a malicious JavaScript code in a website with the GDPR Cookie Consent plugin.

public function autosave_contant_data()
{
   global $wpdb;
   $scan_table=$wpdb->prefix.$this->main_tb;
   $out=array(
      'response'=>true,
      'er'=>''
   );
   $content_data=isset($_POST['content_data']) ? $_POST['content_data'] : array();
   $page_id=isset($_POST['page_id']) ? $_POST['page_id'] : '';
   $enable_webtofee_powered_by=(int) isset($_POST['enable_webtofee_powered_by']) ? $_POST['enable_webtofee_powered_by']*1 : 0;
   if(is_array($content_data))
   {
      $content_html=Cookie_Law_Info_Cli_Policy_Generator::generate_page_content($enable_webtofee_powered_by,$content_data);
      update_option('cli_pg_content_data',$content_html);
   }else
   {
      $out=array(
         'response'=>false,
         'er'=>__('Error','cookie-law-info')
      );
   }
   return $out;
}

Patch Available! Update Now

Update to the latest version 1.8.3 and firewall-protect your website.

The Astra firewall protects your website from attacks like XSS, SQLi, CSRF, LFI, RFI, Spam, Bad bots, OWASP Top 10, and more. Getting started with Astra is super easy. Here’s how to do that:

That’s all. Astra Firewall is actively protecting you from any attacks that might come your way. You can now monitor your website from the Astra dashboard.

How does the Astra Firewall work?
How does the Astra Firewall work?

Still not sure? Get an Astra demo from here.

If you’ve any queries to ask comment below or drop us a message. We promise to reply 🙂

Was this post helpful?

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany