A WordPress plug-in that’s supposed to help with GDPR compliance contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites.

A WordPress plug-in known as the WP GDPR Compliance plug-in contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites.  The bug was discovered by the WordPress.org Plugin Directory Team on November 6 and patched the next day in version 1.4.3.

But despite the fixes, attacks on sites still running versions 1.4.2 and older are still going on, according to security experts from Defiant, a company that runs the Wordfence firewall plugin for WordPress sites.

WP GDPR ensure compliance with Europe’s General Data Protection Regulation by providing tools through which site visitors can permit use of their personal data or request data stored by the website’s database.

More information can be located below:

ZDNet – https://www.zdnet.com/article/zero-day-in-popular-wordpress-plugin-exploited-in-the-wild-to-take-over-sites/