{"id":18476,"date":"2018-11-09T20:53:41","date_gmt":"2018-11-09T20:53:41","guid":{"rendered":"http:\/\/26def469-92cc-45fc-8fb8-8ce7a75c6987"},"modified":"2018-11-09T20:53:41","modified_gmt":"2018-11-09T20:53:41","slug":"zero-day-in-popular-wordpress-plugin-exploited-in-the-wild-to-take-over-sites","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/zero-day-in-popular-wordpress-plugin-exploited-in-the-wild-to-take-over-sites\/","title":{"rendered":"Zero-day in popular WordPress plugin exploited in the wild to take over sites"},"content":{"rendered":"

\"wp-gdpr-plugin.png\"\/<\/span><\/p>\n

Hackers have exploited –and are currently continuing to exploit– a now-patched zero-day vulnerability in a popular WordPress plugin to install backdoors and take over sites.<\/p>\n

The vulnerability affects WP GDPR Compliance<\/a>, a WordPress plugin that helps site owners become GDPR compliant. The plugin is one of the most popular GDPR-themed plugins on the WordPress Plugins directory, with over 100,000 active installs.<\/p>\n

\n

More security news<\/span><\/h3>\n<\/div>\n

Around three weeks ago, attackers seem to have discovered a vulnerability in this plugin and began using it to gain access to WordPress sites and install backdoor scripts.<\/p>\n

Initial reports<\/a> about hacked sites were made into another plugin’s support forum, but that plugin turned out to have been installed as a second-stage payload on some of the hacked sites.<\/p>\n

After investigations led by the WordPress security team, the source of the hacks was eventually traced back to WP GDPR Compliance, which was the common plugin installed on all reported compromised sites.<\/p>\n

The WordPress team removed the plugin from the official Plugins directory earlier this week after they identified several security issues within its code, which they believed were the cause of the reported hacks.<\/p>\n

The plugin was reinstated two days ago, but only after its authors released version 1.4.3<\/a>, which contained patches for the reported issues.<\/p>\n

Attacks are still going on<\/h3>\n
\n<\/section>\n

But despite the fixes, attacks on sites still running versions 1.4.2 and older are still going on, according to security experts from Defiant<\/a>, a company that runs the Wordfence firewall plugin for WordPress sites.<\/p>\n

The company’s analysts say they’re continuing to detect attacks that try to exploit one of the reported WP GDPR Compliance security issues.<\/p>\n

In particular, attackers are targeting a WP GDPR Compliance bug that allows them to make a call to one of the plugin’s internal functions and change settings for both the plugin, but also for the entire WordPress CMS.<\/p>\n

The Wordfence team says they’ve seen two types of attacks using this bug. The first scenario goes like this:<\/p>\n