430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

600+ installs of WordPress Cookie Consent Plugin vulnerable to hack. Fix it now!

Developers of the popular WordPress GDPR Cookie Consent plugin have addressed a critical bug that could potentially impact 700K users. Critical vulnerabilities in the WordPress GDPR Cookie Consent plugin could be exploited by potential attackers to delete and change the content of the sites and inject malicious JavaScript code due to improper access controls. The GDPR Cookie Consent plugin assists users […]

ShapedPlugin plugin

Developers of the popular WordPress GDPR Cookie Consent plugin have addressed a critical bug that could potentially impact 700K users.

Critical vulnerabilities in the WordPress GDPR Cookie Consent plugin could be exploited by potential attackers to delete and change the content of the sites and inject malicious JavaScript code due to improper access controls.

The GDPR Cookie Consent plugin assists users in making your website GDPR compliant.  The vulnerability was reported to the development team by the security researcher Jerome Bruandet from NinTechNet.

“The save_contentdata method allows the administrator to save the GDPR cookie notice to the database as a page post type” wrote NinTechNet.

“An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from “published” to “draft”:” “Additionally, it is possible to delete or change their content. Injected content can include formatted text, local or remote images as well as hyperlinks and shortcodes.”

The WordPress plugin is developed by WebToffee that addressed the flaw with the release of version 1.8.3, less than a week after the disclosure of the issues. The vulnerabilities affect version 1.8.2 and earlier.

The security firm WordFence also independently confirmed the flaw after the development team has addressed it. WordFence analyzed the plugin after it was fixed and noticed were a number of code changes related to capabilities check added to an AJAX endpoint used in the plugin’s administration pages.

“Because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security.” states WordFence.

An attacker could exploit the flaw to inject JavaScript code that will be automatically loaded and executed every time a user (authenticated or not) visits the /cli-policy-preview/ page.”

“[the issue is caused by] improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin” states the analysis published by WordFence.

Giving a look at the download history of the plugin we can see that no more than 82,000 users have installed the latest version of the plugin, this means that more than 600K installations are still vulnerable.

DOWNLOADS HISTORY
Today8.374
Yesterday72.341
Last 7 Days95.504
All Time5.104.967

Security experts at WordFence recently reported that over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug (CVE-2020-8417) in Code Snippets.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress GDPR Cookie Consent, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]