WordPress GDPR Compliance Tool Fault Leads to Data Secrecy Breach

November 15, 2018


The operators of content Management platform WordPress have released an advisory advising users to refresh the WP GDPR Compliance plug-in as soon as possible because of a fault in the software resulting in a possible secrecy breach.

The plug-in in question, unluckily, was developed to help website proprietors are compliant with all General Data Protection Regulation, the new EU data secrecy law. WP GDPR Compliance was found to be a serious weakness that lets illegal users gain access to the back end of websites. It is even possible for illegal people to get access and set up administrator user privileges, letting them to return and to the back end of the website at a later date.

The WP GDPR Compliance plugin was created in order to computerize GDPR jobs such as data access requests and data removal requests. Under the GDPR law that was launched on May 25 this year, there is an obligation for firms to give their users the alternative to see or erase data that relates to them.

As per an update on the WPScan Vulnerability Database, this weakness lets anybody to do whatever they desire to with the site. It states: “The plugin WP GDPR Compliance lets illegal users to perform any action and to update any database value. If the request data form is available for illegal users, even unauthenticated users are able to do this.”

It went to say that users must update the plug-in to the most recent type, 1.4.3, as soon as they can in order to tackle the safety weakness. You can read the full notice by clicking here. To emphasize the extent of the reach of this fault the plug-in affected by has been downloaded over 100,000 times by WordPress account holders and website administrators.

WordPress safety plugin developer WordFence remarked on the GDPR data secrecy breach saying: “More than a hundred thousand WordPress sites using the WP GDPR Compliance plugin were susceptible to this type of attack. It is of vital importance that any site using this plugin carries out the update as soon as possible.”

It went on to say: “Whether an infected site is serving spam electronic mails, hosting a phishing scam, or any other direct or indirect monetization, there’s often a clear objective identified as part of the triage procedure. Nevertheless, in spite of the quick happening of these identified instances, so far our research has only turned up backdoor scripts on sites impacted by this problem. This serves to assist avoid other attackers from creating their own administrator accounts, and decreasing the likelihood that a site’s manager will notice a problem. It closes the door behind the attacker.” You can read their complete coverage of the occurrence here.

Any firm using WordPress must instantly probe to see if their website is using this plugin. If this is the case then the update must be instantly finished in order to make sure averting of a €20m or 4% of yearly international income fine (whichever is higher) possible under the new GDPR law.