The WordPress GDPR cookie consent plugin, which facilitates an easy GDPR compliance for users, was found vulnerable to improper access controls. This vulnerability can lead to severe vulnerabilities such as Privilege escalation and stored XSS in a website. The GDPR cookie consent plugin is being actively used on more than 700000 WordPress websites at the time of writing this.
Timeline of the Vulnerability
- Reported on – 4th Feb 2020
- Fixed on – 10th Feb 2020
- Affected Version – All version <=1.8.2
- Patched Version – 1.8.3
The vulnerability was reported first to wordpress.org. Post which, the plugin was temporarily removed from the WordPress repository. WordPress lifted the ban from the plugin as soon as the patch was available on the 10th of Feb.
Anyone who is on the version <=1.8.2 can be hacked. So update to the patched version = 1.8.3 as soon as you can.
Understanding the GDPR Plugin’s Vulnerabilities
The vulnerability lies in the cli_policy_generator in the --construct method. The cli_policy_generator which is executed via WordPress AJAX API – ajax_policy_generator lacks crucial capability checks. Due to which even though a nonce code is sent over AJAX, it goes unverified in the entire PHP framework.
The ajax_policy_generator, in turn, allows three actions: autosave_contant_data, save_contentdata, and get_policy_pageid.
Two of these actions – autosave_contant_data, save_contentdata are susceptible to attacks. Whereas autosave_contant_data can lead to privilege escalation, save_contentdata can lead to a stored XSS.
Vulnerability in save_contentdata
The save_contentdata of the cli_policy_generator allows the GDPR cookie to be saved as a page post type. Exploiting which any authenticated user with permissions as low as a subscriber can change the post status. Any authenticated user can publish a post, or move a published one to draft. Or worse, move the whole website to draft causing it to crash.
public function save_contentdata()
{
$out=array(
'response'=>true,
'er'=>''
);
$content_data=isset($_POST['content_data']) ? $_POST['content_data'] : array();
$page_id=(int) isset($_POST['page_id']) ? $_POST['page_id']*1 : 0;
$enable_webtofee_powered_by=(int) isset($_POST['enable_webtofee_powered_by']) ? $_POST['enable_webtofee_powered_by']*1 : 0;
$id=wp_insert_post(
array(
'ID'=>$page_id, //if ID is zero it will create new page otherwise update
'post_title'=>'Cookie Policy',
'post_type'=>'page',
'post_content'=>Cookie_Law_Info_Cli_Policy_Generator::generate_page_content($enable_webtofee_powered_by,$content_data,0),
'post_status' => 'draft', //default is draft
)
);
if(is_wp_error($id))
{
$out=array(
'response'=>false,
'er'=>__('Error','cookie-law-info'),
//'er'=>$id->get_error_message(),
);
}else
{
Cookie_Law_Info_Cli_Policy_Generator::set_cookie_policy_pageid($id);
$out['url']=get_edit_post_link($id);
}
return $out;
}
Vulnerability in autosave_contant_data
The autosave_constant_data saves the GDPR cookie temporarily in the cli_pg_content_data, while the admin is still editing it.
Due to missing validation checks in the cli_pg_content_data, any authenticated user can inject a malicious JavaScript code in a website with the GDPR Cookie Consent plugin.
public function autosave_contant_data()
{
global $wpdb;
$scan_table=$wpdb->prefix.$this->main_tb;
$out=array(
'response'=>true,
'er'=>''
);
$content_data=isset($_POST['content_data']) ? $_POST['content_data'] : array();
$page_id=isset($_POST['page_id']) ? $_POST['page_id'] : '';
$enable_webtofee_powered_by=(int) isset($_POST['enable_webtofee_powered_by']) ? $_POST['enable_webtofee_powered_by']*1 : 0;
if(is_array($content_data))
{
$content_html=Cookie_Law_Info_Cli_Policy_Generator::generate_page_content($enable_webtofee_powered_by,$content_data);
update_option('cli_pg_content_data',$content_html);
}else
{
$out=array(
'response'=>false,
'er'=>__('Error','cookie-law-info')
);
}
return $out;
}
Patch Available! Update Now
Update to the latest version 1.8.3 and firewall-protect your website.
The Astra firewall protects your website from attacks like XSS, SQLi, CSRF, LFI, RFI, Spam, Bad bots, OWASP Top 10, and more. Getting started with Astra is super easy. Here’s how to do that:
- Choose a plan and Sign up.
- Install Astra by following a couple of self-served steps (takes<5 minutes).
That’s all. Astra Firewall is actively protecting you from any attacks that might come your way. You can now monitor your website from the Astra dashboard.
Still not sure? Get an Astra demo from here.
If you’ve any queries to ask comment below or drop us a message. We promise to reply 🙂