Zero-day in popular WordPress plugin exploited in the wild to take over sites

Attacks started around three weeks ago and are still going on. Users should update the WP GDPR Compliance plugin to version 1.4.3 to protect their sites.

wp-gdpr-plugin.png

Hackers have exploited --and are currently continuing to exploit-- a now-patched zero-day vulnerability in a popular WordPress plugin to install backdoors and take over sites.

The vulnerability affects WP GDPR Compliance, a WordPress plugin that helps site owners become GDPR compliant. The plugin is one of the most popular GDPR-themed plugins on the WordPress Plugins directory, with over 100,000 active installs.

Around three weeks ago, attackers seem to have discovered a vulnerability in this plugin and began using it to gain access to WordPress sites and install backdoor scripts.

Initial reports about hacked sites were made into another plugin's support forum, but that plugin turned out to have been installed as a second-stage payload on some of the hacked sites.

After investigations led by the WordPress security team, the source of the hacks was eventually traced back to WP GDPR Compliance, which was the common plugin installed on all reported compromised sites.

The WordPress team removed the plugin from the official Plugins directory earlier this week after they identified several security issues within its code, which they believed were the cause of the reported hacks.

The plugin was reinstated two days ago, but only after its authors released version 1.4.3, which contained patches for the reported issues.

Attacks are still going on

But despite the fixes, attacks on sites still running versions 1.4.2 and older are still going on, according to security experts from Defiant, a company that runs the Wordfence firewall plugin for WordPress sites.

The company's analysts say they're continuing to detect attacks that try to exploit one of the reported WP GDPR Compliance security issues.

In particular, attackers are targeting a WP GDPR Compliance bug that allows them to make a call to one of the plugin's internal functions and change settings for both the plugin, but also for the entire WordPress CMS.

The Wordfence team says they've seen two types of attacks using this bug. The first scenario goes like this:

  • Hackers use bug to open the site's user registration system.
  • Hackers use bug to set the default role for new accounts to "administrator."
  • Hackers register a new account, which automatically becomes an administrator. This new account is usually named "t2trollherten."
  • Hackers set back default user role for new accounts to "subscriber."
  • Hackers disable public user registration.
  • Hackers log into their new admin account.
  • They then proceed to install a backdoor on the site, as a file named wp-cache.php.

This backdoor script (GUI pictured below) contains a file manager, terminal emulator, and a PHP eval() function runner, and Wordfence says that "a script like this on a site can allow an attacker to deploy further payloads at will."

wp-gdpr-plugin-backdoor.png
Image: Defiant

But experts also detected a second type of attack, which doesn't rely on creating a new admin account, which might be spotted by the hacked site's owners.

This second and supposedly more silent technique involves using the WP GDPR Compliance bug to add a new task to WP-Cron, WordPress' built-in task scheduler.

The hackers' cron job downloads and installs the 2MB Autocode plugin, which attackers later use to upload another backdoor script on the site --also named wp-cache.php, but different from the one detailed above.

But while hackers tried to make this second exploitation scenario more silent than the first, it was, in fact, this technique that led to the zero-day's discovery.

This happened because, on some sites, the hackers' exploitation routine failed to delete the 2MB Autocode plugin. Site owners saw a new plugin appeared on their sites and panicked.

It was, in fact, on this plugin's WordPress support forum that site owners first complained about hacked sites, and triggered the investigation that led back to the WP GDPR Compliance plugin.

Attackers are stockpiling hacked sites

Right now, the attackers don't appear to be doing anything malicious with the hacked sites, according to the Wordfence team.

Hackers are just stockpiling hacked sites, and Wordfence has not seen them trying to deploy anything malicious through the backdoor scripts, such as SEO spam, exploit kits, malware, or other kinds of badness.

Site owners using the WP GDPR Compliance plugin still have time to update or remove the plugin from their sites and clean any backdoors that have been left behind. They should do this before their site takes a hit in terms of search engine rankings, which usually happens after Google finds malware on their domains during its regular scans.

More security coverage: