Critical security vulnerability in the WordPress GDPR Compliance plugin (vulnerability)

A very critical vulnerability in the WP GDPR Compliance plugin is currently being exploited (100,000+ active installations).

This vulnerability allows attackers to modify the wp_options table. In the current wave of attacks, the default user role is being changed to Administrator and user registration is being enabled so the site can then be further manipulated with a newly created admin account.
In previous cases, admin users with the names t2trollherten or t3trollherten were created.

The vulnerability was fixed in version 1.4.3. If you use this plugin, you should urgently perform an update.

As part of our WordPress maintenance contracts and the security flat rate, we have already checked and updated all customer websites.

Immediate measures if an unknown WordPress admin exists

1. Delete the unknown user

2. Check WordPress Settings -> General

WordPress/website address (URL), email address, membership, and the default role of a new user.

3. Analyze access logs (log analysis tool)

This shows whether malicious files (web shells/backdoors) have been uploaded and used)
- in this case the wp-upd.php (or often wp-cache.php as well):
Analysis of the WP GDPR Compliance Vulnerability

WordPress GDPR Compliance Hack

4. Check the database (wp_posts) for <script injections

Export the database via phpMyAdmin or backup plugin as a .sql file -> open it with a text editor -> search for "<script" -> inspect the results carefully.
Example of a JS file loaded from an external server:
database script injection

If there are no anomalies up to this point, especially in the logs (upload-theme, wp-upd.php, wp-cache.php or similar accesses) -> you got lucky!

Otherwise, the complete WordPress installation must be restored from a suitable backup or cleaned/rebuilt.
The procedure is described here.

The GDPR Compliance plugin hack analyzed here resulted in around 200 modified PHP and JS files, in addition to script injections in all posts.


WP GDPR Compliance Vulnerability entry in the WPScan database:
https://wpvulndb.com/vulnerabilities/9144

Details
Last Updated: 11 November 2018

Additional offers

Customers about us

„The conversion of our Joomla website from PHP 5.3 to PHP 7 was super fast, affordable, and with impeccable results. Very good and friendly communication.“
– H. Bergmann

„Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars“
– Fernando V.

„I was unable to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out, everything was extremely affordable, fast, and good!“
– Klaus-Peter

„The site looks great – everything as before – and on PHP 7.2 – I am impressed - many heartfelt thanks!“
– Dr. Ingo Wuddel

„Since we run an online shop, it was very important to us that our site was quickly available again with full functionality for our customers. All work is carried out extremely quickly to our complete satisfaction.“ – Löwen Handels GmbH

„Very fast, reliable, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.“
– Heino B.

„The contact was exceptionally friendly, and some cosmetic additional work was taken care of on its own - as if it were completely natural. I am relieved and very grateful.“
– R. Mayer

„Great. In an absolute emergency, after 2 domains were blocked by Strato due to a hacker attack, both domains were initially temporarily back online the same day.“
– I. Radchenko

„Excellent service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏“
– Tien Sy Vuong

Website-Bereinigung.de support service
5,0 205 Reviews > 5
Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm