Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent | ZDNet
(Source: zdnet.com)

clicks | 5 days ago | comments: discuss | tags: cryptocurrency


Article preview (bot search)

(Original link: zdnet.com)

Threat Intelligence Index Report from IBM X-Force Christopher Scott, Global remediation lead, IBM X-Force incident response and intelligence services, sits down with Tonya Hall to talk about the latest Threat Intelligence Index Report and its findings, including that unpatched systems are a leading vulnerability while the finance and retail industries are two of the top industry cyber targets. Critical security issues caused by improper access controls in a WordPress plugin designed for GDPR cookie compliance have been resolved, but hundreds of thousands of websites may still be vulnerable to attack.
The GDPR Cookie Consent plugin, offered by developer Cookie Law Info through WebToffee, has been designed to help ensure websites are compliant with the EU's General Data Protection Regulation (GDPR); specifically, obtaining consent for cookies from visitors, the creation of a Privacy & Cookies Policy page and the enablement of banners showing compliance.
The plugin accounts for over 700,000 active installs according to the WordPress library.
On January 28, NinTechNet researcher Jerome Bruandet discovered a vulnerability affecting GDPR Cookie Consent version 1.8.2 and below.
See also: Enterprise companies struggle to control security certificates, cryptographic keys
The security flaw, of which a CVE number has been requested, is a critical issue caused by missed capabilities checks, leading to authenticated, stored cross-site scripting (XSS) and potentially privilege escalation.
A vulnerable AJAX endpoint is the root cause of the problem, in which a failure to implement checks meant that three actions were exposed: get_policy_pageid, autosave_contant_data, and save_contentdata.
According to WordPress security organization WordFence , "because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site's security."
While get_policy_pageid only offers the post ID of a cookie policy page and does not, therefore, pose much harm, the exposure of autosave_contant_data -- (spelling mistake in the code) -- a function intended for the definition of default content in the policy preview page means that this page could be injected with XSS payloads.
Malicious payloads could then be executed that load when http:// websitename /cli-policy-preview/ is visited by members of the public.
In addition, save_contentdata is intended for use in creating or updating the post used for the policy page, and so exposure could permit attackers to change the post content in a number of different ways.
CNET: IPVanish vs. ExpressVPN: Security, speed and price compared
"An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from "published" to "draft,"" Bruandet said.
It may also be possible to use this action to delete material or inject content including "formatted text, local or remote images as well as hyperlinks and shortcodes," the researcher says.
TechRepublic: Cloud computing security: These two Microsoft tools can help you battle shadow IT
The severe vulnerability was reported to the developer on February 4. The plugin was temporarily removed from the WordPress.org directory pending a fix on February 8. A patch was made available two days later and was pushed to plugins.svn.wordpress.org.
It is recommended that GDPR Cookie Consent plugin users make sure they are using the latest version of the software, 1.8.3, to stay protected. At the time of writing, 64.5 percent of users have updated -- with thousands of websites left to go.
The biggest Internet of Things, smart home... 14 NEXT PREV Previous and related coverage Intel warns of critical security flaw in CSME engine, issues discontinued product notices
KBOT virus takes out system files with no hope of recovery
Outlaw hacking group kills existing cryptocurrency miners in enterprise server attacks
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0...