Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent

The plugin is actively installed on over 700,000 websites.
Written by Charlie Osborne, Contributing Writer

Critical security issues caused by improper access controls in a WordPress plugin designed for GDPR cookie compliance have been resolved, but hundreds of thousands of websites may still be vulnerable to attack. 

The GDPR Cookie Consent plugin, offered by developer Cookie Law Info through WebToffee, has been designed to help ensure websites are compliant with the EU's General Data Protection Regulation (GDPR); specifically, obtaining consent for cookies from visitors, the creation of a Privacy & Cookies Policy page and the enablement of banners showing compliance.

The plugin accounts for over 700,000 active installs according to the WordPress library. 

On January 28, NinTechNet researcher Jerome Bruandet discovered a vulnerability affecting GDPR Cookie Consent version 1.8.2 and below.

See also: Enterprise companies struggle to control security certificates, cryptographic keys

The security flaw, of which a CVE number has been requested, is a critical issue caused by missed capabilities checks, leading to authenticated, stored cross-site scripting (XSS) and potentially privilege escalation.

A vulnerable AJAX endpoint is the root cause of the problem, in which a failure to implement checks meant that three actions were exposed: get_policy_pageid, autosave_contant_data, and save_contentdata.

According to WordPress security organization WordFence, "because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site's security."

While get_policy_pageid only offers the post ID of a cookie policy page and does not, therefore, pose much harm, the exposure of autosave_contant_data -- (spelling mistake in the code) -- a function intended for the definition of default content in the policy preview page means that this page could be injected with XSS payloads. 

Malicious payloads could then be executed that load when http:// websitename /cli-policy-preview/ is visited by members of the public.

In addition, save_contentdata is intended for use in creating or updating the post used for the policy page, and so exposure could permit attackers to change the post content in a number of different ways. 

CNET: IPVanish vs. ExpressVPN: Security, speed and price compared

"An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from "published" to "draft,"" Bruandet said. 

It may also be possible to use this action to delete material or inject content including "formatted text, local or remote images as well as hyperlinks and shortcodes," the researcher says.

TechRepublic: Cloud computing security: These two Microsoft tools can help you battle shadow IT

The severe vulnerability was reported to the developer on February 4. The plugin was temporarily removed from the WordPress.org directory pending a fix on February 8. A patch was made available two days later and was pushed to plugins.svn.wordpress.org. 

It is recommended that GDPR Cookie Consent plugin users make sure they are using the latest version of the software, 1.8.3, to stay protected. At the time of writing, 64.5 percent of users have updated -- with thousands of websites left to go. 

The biggest Internet of Things, smart home hacks of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards