Critical bugs discovered in the WordPress GDPR Cookie Consent plugin which is designed to assist customers in making website GDPR compliant.
WordPress GDPR Cookie Consent plugin which has been last updated 3 days ago coming with a lot of features including configuration cookie details for admin, customization of the cookie notice style and more. It also adds a subtle cookie banner to the website. NinTechNet security researcher Jerome Bruandet found a bug in this plugin that is maintained by WebToffee.
Improper access controls caused the vulnerability
“An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from ‘published’ to ‘draft’. Additionally, it is possible to delete or change their content. Injected content can include formatted text, local or remote images as well as hyperlinks and shortcodes.”
WebToffee released the patched version 1.8.3 on February 10. The vulnerability doesn’t yet have a CVE ID, but it rated as critical. The WordPress security firm WordFence also discovered the flaw after it was patched by WebToffee. With the release of the patched version, only over 76,000 users have already updated their installations.
Stay tuned for up-to-date WordPress News