WP GDPR Plugin Hacked – Update Immediately by @martinibuster

The popular WP GDPR Compliance plugin Plugin has a serious vulnerability.Any version less than 1.4.3 is vulnerable. Hackers are actively targeting this plugin. Sites are being hacked as of this writing.  It is highly recommended to update now.

Hacking Season 2018

It’s been my anecdotal observation for the past several years that hacking related events tend to increase in the months leading up to Christmas. Hacking related bot activity seems to increase beginning in November. I believe that the reason hack bots probing for vulnerabilities increase is because criminals are targeting holiday shoppers.

These hacking bots are not restricted to WordPress sites. There are hacking bots attacking every kind of CMS. If your CMS or server software is out of date, there is a strong possibility that your site has been compromised, regardless of the CMS.

According to my traffic logs, all kinds of software is being tested for vulnerabilities.

How Bad is the GDPR Plugin Hack?

This vulnerability is as bad as they get. Sites are actively being targeted.

For example, a Facebook user shared the following screenshot of their hacked site. The screenshot shows that hackers were able to create two Administrator level users on his website.

Screenshot of a WordPress control panel showing hackers with admin privileges.

An administrative level user is able to do anything they want on a WordPress website. The Facebook user confirmed that this site used the WP GDPR Compliance plugin.

This victim related that the hacking appeared to be automated. The hackers had not yet installed backdoors and rogue pages yet.

He removed the rogue administrator accounts. Then he removed his old WordPress installation and installed a fresh version and updated the plugin. The site was soon back online free of the hacking effects.

It appears that the hackers may be employing bots whose role is limited to hacking WordPress sites through the WP GDPR vulnerability then registering admin accounts. It is later on that they set about creating rogue web pages.  Nevertheless, it’s important to update this plugin as soon as possible.

What is the WordPress GDPR Hack?

According to the WPScan Vulnerability Database, the vulnerability allows a hacker to do whatever they want with the site. Here is what the Vulnerability Database relates:

“The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.”

Update WP GDPR Plugin

Update your plugin to the fixed version, 1.4.3 (or higher if available). Any version less than 1.4.3 may be vulnerable.

Read the announcement here:

Download the fixed plugin here

Images by Shutterstock, Modified by Author
Screenshots by Author, Modified by Author

Subscribe to SEJ

Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!

Recent Posts

5 Best Ecommerce Tools Every Merchant Needs to Know!

The world is going online. With the new infrastructural developments taking place globally, more and more businesses are opting to… Read More

November 21, 2018 8:48 pm

Google Ads Brings Merchant Promotions to Shopping Actions by @MattGSouthern

Google Ads is bringing its Merchant Promotions program to Shopping Actions for retailers. This integration allows online retailers to add… Read More

November 21, 2018 4:48 pm

Popular AMP for WordPress Plugin Patches Critical Security Flaw by @MattGSouthern

The top AMP plugin for WordPress, AMP for WP, has released a released a patch for a critical security vulnerability.… Read More

November 21, 2018 12:39 pm

How SEO & PPC Keyword Research Can Work Together by @TaylorDanRW

A well-orchestrated PPC campaign can benefit a good SEO campaign, as Sergey Grybniak explores in How to Combine SEO &… Read More

November 21, 2018 8:38 am

3 Social Media Tools to Jumpstart Your Influencer Marketing

Social Media Marketing Industry Report In our 10th annual social media study (44 pages, 70+ charts) of 5700+ marketers, you'll… Read More

November 21, 2018 6:28 am

Digital Extortion: Don’t Let Your Data Be Held Hostage by @tonynwright

Recently, our firm took over the digital marketing efforts for a small company. Their previous digital marketing efforts were led… Read More

November 20, 2018 8:18 pm