GDPR Cookie Consent, a WordPress plugin, inadvertently exposed websites to cross-site scripting (XSS) attacks through a vulnerability that affects versions 1.8.2 and below of the plugin. As disclosed in a report by NinTechNet, the vulnerability allowed privilege escalation. The plugin had over 700,000 active installations at the time of the exploit.
No CVE number has been assigned to the vulnerability yet. The plugin has been patched in version 1.8.3 and subsequent versions.
How the vulnerability works
The exploit is a result of improper access controls, specifically the __construct method used for initializing objects. This AJAX endpoint, originally only intended for administrators, failed to implement checks to verify the user’s identity.
Figure 1. Vulnerable code in admin/modules/cli-policy-generator/classes/class-policy-generator-ajax.php
The __construct method accepts three different values from the API:
autosave_contant_data (sic) – defines the default content that appears in the cookie preview page
save_contentdata – sends a POST request to the database in order to store cookie information
get_policy_pageid – returns the post ID of the cookie configuration page
The first two functions are the most dangerous parts of the exploit since they can be used to upload custom payloads to the vulnerable site.
Figure 2. The autosave_contant_data function, which can be used to perform an XSS attack
The second of the two functions, save_contentdata, allows the attacker to send information to the backend database and modify page content. In addition, by setting the status of the page to draft instead of published, an attacker can use the function to make parts of the website invisible to the public and leverage this for a Denial of Service (DoS) attack.
Figure 3. The save_contentdata function, which can be used to modify page structure and potentially cause DoS
The improper access control vulnerability was patched in version 1.8.3. The patch adds an additional check to the ajax_policy_generator function called by __construct to verify that the user’s nonce value is valid and that it has the correct permissions to modify the plugin content. With the patched constructor function, users without correct permissions will no longer be able to use autosave_contant_data or save_contentdatato inject code.
Figure 4: Check added to the ajax_policy_generator function to patch the access control vulnerability
Everyone using this plugin should update to the latest version (>= 1.8.3) as soon as possible to mitigate the risk.
Protecting systems against compromise
The GDPR imposes hefty fines for those who don’t comply with its data privacy and protection standards. To adhere to these regulations, enterprises should ensure that their systems are protected from compromise, even those that are brought about by newly-discovered vulnerabilities. This is why it is highly recommended that patches and updates are installed as soon as they are released. GDPR compliance checklists can also help ensure that no stone is left unturned.
Security solutions can also be deployed as additional protection for vulnerabilities. Trend Micro™TippingPoint™Threat Protection System defends with real-time and automated remediation of vulnerable systems as it detects and blocks targeted attacks and malware. It protects users from this vulnerability through the following TP filter:
Trend Micro™ Deep Security™ protects systems against both existing and new threats and vulnerabilities with the use of machine learning and virtual patching. It safeguards users from this vulnerability via this DS rule: