As was reported by Catalin Cimpanu of ZDNet yesterday, November 9th 2018, earlier this month researches discovered vulnerabilities in a new WordPress plugin used to help site owners comply with GDPR Laws passed by the European Union earlier this year. According to Cimpanu, the WP GDPR Compliance plugin produced by Van Ons was effected, potentially compromising over 100,000 WordPress owners whom have already installed it on their sites before November 2018.
“Hackers have exploited –and are currently continuing to exploit– a now-patched zero-day vulnerability in a popular WordPress (WP GDPR Compliance) plugin to install backdoors and take over sites” Cimpanu explained. Adding that “this backdoor script contains a file manager, terminal emulator, and a PHP eval() function runner,” allowing hackers to install further payloads at their discretion. “The second and supposedly more silent technique involves using the WP GDPR Compliance bug to add a new task to WP-Cron. The hackers’ cron job downloads and installs the 2MB Autocode plugin, which attackers later use to upload another backdoor script on the site.”
It is important to note that Van Ons pulled the plugin off WordPress earlier this week, before placing it back online on November 7th – after the 0day vulnerability was patched. The plugin is safe to install today, but all of the sites that installed previous versions of the plugin before November 7th are still potentially compromised.
— Catalin Cimpanu (@campuscodi) November 10, 2018
I don’t bring this story up to fill air time or report what Catalin Cimpanu has already reported a second time, just using different words. I bring this up because last year I had my website compromised by a different WordPress plugin, also designed to help website owners comply with EU laws and regulations. More specifically, my website was compromised by the EU Cookie Consent widget placed on WordPress, mandated by EU law, which allowed 3rd parties to run crypto-miners in the background of the web browsers of visitors visiting my website. I also wasn’t alone, this scam compromised over 200 websites before it was first reported – that researchers could even confirm. However, given that the EU Cookie Consent widget comes pre-installed on every premium WordPress theme/account, there is no telling how many sites were actually effected by the hack.
Granted I am an American website owner and do not have to comply with EU Laws if I don’t want to, what troubles me is the fact these plugins or widgets are only being installed so site owners can comply with EU law. In other words, these people are only being hacked because they are trying to follow the law. I was only hacked because I wanted to appear more professional and willing to appeal to a global audience. To this day I do not have to collect cookies if I do not want to, I do it to comply with GDPR rules so they cant decide to limit my site or audience. Quite frankly, it is irresponsible for the European Union to force website owners to install all of these measures without releasing software guaranteed to help keep people/site owners safe when doing so. GDPR rules and regulations were designed to keep people safe, not make it easier to hack websites – something WordPress and the EU needs to look at more carefully throughout the future.
Always exciting when your site start coming under attack from three angles/countries – Latvia, UK and USA. To 18.104.22.168 – interesting technique, hadn't seen that yet. #MildlyInconvenient #RogueSecurity
— Rogue Media Labs (@RogueSecLabs) October 12, 2018
People need to understand, I host my website in the USA, I do not have to protect anyone's IP if I don't want to, this isn't Europe. The USA wants everyone to be hacked as easily as possible, it's "good" for #NationalSecurity
— Rogue Media Labs (@RogueSecLabs) October 13, 2018