Critical bugs discovered in the WordPress GDPR Cookie Consent plugin which is designed to assist customers in making website GDPR compliant.
WordPress GDPR Cookie Consent plugin which has been last updated 3 days ago coming with a lot of features including configuration cookie details for admin, customization of the cookie notice style and more. It also adds a subtle cookie banner to the website. NinTechNet security researcher Jerome Bruandet found a bug in this plugin that is maintained by WebToffee.
Improper access controls caused the vulnerability
According to Jerome Bruandet, this plugin that is used by over 700,000 websites makes possible to delete and change content and inject malicious JavaScript code by a potential attacker. The main cause of the vulnerability is improper access controls. Bruandet explains the vulnerability, saying,
“An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from ‘published’ to ‘draft’. Additionally, it is possible to delete or change their content. Injected content can include formatted text, local or remote images as well as hyperlinks and shortcodes.”
WebToffee released the patched version 1.8.3 on February 10. The vulnerability doesn’t yet have a CVE ID, but it rated as critical. The WordPress security firm WordFence also discovered the flaw after it was patched by WebToffee. With the release of the patched version, only over 76,000 users have already updated their installations.
Stay tuned for up-to-date WordPress News