A popular GDPR compliance WordPress plugin vendor has patched a flaw that rendered both site visitors and admins vulnerable to cookie-stealing cross-site scripting (XSS) attacks.
The GDPR Cookie Consent plugin, created by WebToffee, claims over 700,000 users. The plug-in is a notification app that begs you to accept cookies when you first visit a WordPress site. Website owners use tools like this to stay compliant with GDPR, which points to cookies as a form of online identifier and therefore subject to its consent rules.
While the GDPR Cookie Consent plugin asks you if you’d mind accepting cookies, it doesn’t ask you if you’d like a dollop of XSS with them too. Until this week, that’s what visitors to pages containing the plugin might have been vulnerable to.
The flaw, enabled an XSS attack and elevation of privilege in versions 1.82 and earlier, said a blog post by The Ninja Technologies Network, which sells web application firewalls to protect WordPress sites.
autosave_contant_data(“contant” is a typo in the code itself), and
post_id that this function delivers to change the text of any post, but doing so sets the post’s status to draft, hiding it from regular subscribers. That still leaves it visible to editors, admins, and the author of the post. An attacker could, therefore, use an altered post to mount an XSS attack on one of these privileged users.
Doing that takes another bit of skullduggery, explains Wordfence. WordPress uses a whitelist of permitted HTML tags when editing content, which would strip out malicious code like XSS payloads. However, the plugin permits shortcodes. These are commands a bit like macros contained in square brackets that WordPress blogs and their plugins interpret as shortcuts to include rich text like image galleries and videos.
By using shortcode functionality in the plugin, an attacker can hit a site admin with an XSS attack. The attackers could also insert formatted text, hyperlinks, and remote images, explained Ninja Technologies.
What to do
The bug has a CVSS score of 9.0, said Wordfence, which makes it critical, although at the time of writing there wasn’t an assigned CVE number.
WebToffee has released an updated version, 1.83, and any admins should patch their deployments immediately.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.