This time, approximately 7,600 WordPress websites are involved!
One of the most popular WordPress plugins, WP GDPR Compliance was hacked on 12 November 2018!
Imagine all these unlucky websites had their URLs changed to “hxxp://erealitatea[.]net”, causing them completely fail to load.
Investigation shows that any version less than 1.4.3 is vulnerable, and the plugin has been actively attacked many times. The worst part is the attack does not require any authentication!!
WP GDPR Compliance is a plugin that is able to add a checkbox to websites, allowing visitors to hand over their data for the site owners to use it for a defined purpose and protect individuals’/web visitors’ data and privacy at the same time.
Moreover, it also lets visitors request copies of the data that the website holds about them.
How the hacking took place?
- Gained administrative access to the site and make direct changes
- Installed a malicious plugin to infect these websites with malware. They probably employed bots to hack WordPress sites through the WP GDPR Compliance plugin vulnerability before registering admin accounts.
- Created rogue web pages.
WPScan Vulnerability Database: “The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.”
Update your WP GDPR Plugin Now!
To stay safe, update the plugin to version 1.4.3 or higher. Act Now! (https://wordpress.org/plugins/wp-gdpr-compliance)