Privilege Escalation Flaw In WP GDPR Compliance Plugin

WordPress GDPR Compliance 1.4.3 is now available. This is a security release for all previous versions and we strongly encourage you to update immediately.

Download 1.4.3 or venture over to Dashboard → Updates and simply click “Update Now”.

Fix

After 1.4.3 became available hackers started to actively target previous versions. Anyone who didn’t update the plugin right away on November 7th, 2018 should look for changes in their database. Most noticeably there will be one or several users you don’t recognise with admin rights. Any account that you do not recognise should be deleted.

If possible we recommend restoring a complete backup of your site from before November 6th, 2018. After restoring please update to 1.4.3 right away.

There are also tools (freely) available that help you clean your database of any malicious injections.

We asked the Plugin Directory Team to see if there’s a possibility for a forced plugin update but they told us that is not an option.

Discovery

The vulnerabilities were reported to us by the WordPress.org Plugin Directory Team on Tuesday, November 6th 2018. Thanks to their thorough analyses and quick response we were able to release 1.4.3 within 24 hours.

Changelog

Wrong handling of possible user input in combination with unsafe unserialization can make previous versions vulnerable to SQL injection.

* Security fix: Removed base64_decode() function.
* Security fix: Correctly escape input in $wpdb->prepare() function.
* Security fix: Only allow modifying WordPress options used by the plugin and by the user capabilities.