WordPress GDPR Compliance Plug-In Vulnerability Caused Data Privacy Breach

The operators of the WordPress content management platform gave an advisory to users regarding the need to refresh the WP GDPR Compliance plug-in immediately because a software flaw might potentially lead to a privacy breach.

The WP GDPR Compliance plug-in was designed to help website owners to comply with the EU’s General Data Protection Regulation (GDPR). However, it was found to have a vulnerability allowing unauthorized persons to access the back end of WordPress sites. It is even possible for the unauthorized person to set up administrator user privileges, so that he could come back via the back end of the website later on.

The WP GDPR Compliance plugin was created to do GDPR tasks like data access and data deletion requests on autopilot. Under the GDPR legislation, companies should give users the ability to view their data or even delete them.

The latest update on the WPScan Vulnerability Database state that the WP GDPR Compliance plug-in vulnerability gives unauthenticated users access to the site and execute any action including the update of any database value.

Users are instructed to update their plug-in to the latest version, 1.4.3, immediately to fix the security issues. WordPress account holders and site managers have downloaded this plug-in update more than 100,000 times, which show the extent of the impact of this flaw.

Regarding the GDPR data privacy breach, WordPress security plugin developer WordFence said that over a hundred thousand WordPress sites used the WP GDPR Compliance plugin and became vulnerable to this attack. It is very important that the update should be downloaded as soon as possible.

An infected site might serve spam emails, host a phishing attack, or do any other type of monetization. The goal is often clearly outlined as part of the triage process. Nonetheless, even with the quick occurrence of these identified incidents, only backdoor scripts on websites became affected by this issue. Other attackers are prevented from making their own administrator accounts, so it’s unlikely that a site’s administrator will become aware of a problem. The door closes behind the attacker.

Any organization using WordPress and this plug-in need to investigate their website right away. The update must be promptly completed to avoid the possible €20 million or 4% of annual global revenue penalty under the GDPR legislation.