Data Privacy Breach due to Flaw in WordPress GDPR Compliance Tool

The owners of WordPress have published an advisory urging asking to refresh the WP GDPR Compliance plug-in as soon as they can due to a vulnerability in the software leading to a possible privacy breach.

The plug-in with the flaw, ironically, was programmed to help website owners achieve compliance with all General Data Protection Regulation, the new European Union data privacy legislation. WP GDPR Compliance was discovered to have a serious vulnerability that permits unauthorized users to gain access to the back end of websites. It is even possible to unauthorized people to obtain access and set up administrator user privileges, letting them to return and to the back end of the website.

The WP GDPR Compliance plugin was created in order to automate GDPR tasks such as data access requests and data deletion requests. The GDPR legislation, that was introduced on May 25 2018, includes an obligation for companies to give their users the option to view or delete data that relates to them.

The update on the WPScan Vulnerability Database says that this vulnerability permits anyone to do whatever they wish to with the site. It says: “The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.”

In addition to this it said that users should update the plug-in to the most recently released version, 1.4.3, as soon as possible in order to address the security weakness. To emphasise the extent of the reach of this flaw the plug-in affected by been installed over 100,000 times by WordPress account holders and website administrators.

WordPress security plugin developer WordFence emphasized the impact of the  GDPR data privacy breach saying: “More then a hundred thousand WordPress sites using the WP GDPR Compliance plugin were vulnerable to this type of attack. It is of critical importance that any site using this plugin performs the update as soon as possible.”

In addition it stated: “Whether an infected site is serving spam emails, hosting a phishing scam, or any other direct or indirect monetization, there’s often a clear goal identified as part of the triage process. However, despite the rapid occurrence of these identified cases, so far our research has only turned up backdoor scripts on sites impacted by this issue. This serves to help prevent other attackers from creating their own administrator accounts, as well as reducing the likelihood that a site’s administrator will notice a problem. It closes the door behind the attacker.”

Any group or organization using WordPress should immediately review the online portal to see if their website is using this plug in. If they are then the update should be swiftly completed in order to ensure avoidance of a €20m or 4% of annual global revenue fine (whichever is higher) possible as per the new GDPR legislation.