A now-patched flaw in a popular plugin was allowing hackers to take over various WordPress sites and act as administrators, putting them in a position to cause further damage, according to Wordfence, a company that makes security software for the publishing platform. The plugin, WP GDPR Compliance, is meant to help WordPress site owners comply with Europe’s General Data Protection Regulation by automating tasks like data access requests and data deletion requests. GDPR requires that companies give their users the option to view or delete data that pertains to them. A bug in the privacy-focused plugin was exploited in the wild, Wordfence said in a report published Thursday, allowing “unauthenticated attackers to achieve privilege escalation.” The vulnerability allowed attackers to force affected WordPress sites to perform arbitrary actions, including installing new administrator accounts. Wordfence researchers said they also observed attackers installing backdoors, but it’s not clear what they’re intended to be used […]
Källa: Flaw in WordPress plugin allowed unauthorized admin access, backdoors – Cyberscoop
