Affected Plugin: GDPR Cookie Consent
Affected Versions: <= 1.8.2
CVSS Score: 9.0 (Critical)
Patched Version: 1.8.3
The following post describes how improper access controls result in a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it had been taken off the repository. The Wordfence group released a firewall principle to our Premium clients on February 10th.
To help create knowing of this issue, we have been disclosing information on this vulnerability today, given that a fix provides been released and users who usually do not use Wordfence High quality have an obvious upgrade path. A specialized explanation of the vulnerability in the “GDPR Cookie Consent” plugin comes after.
GDPR Cookie Consent is really a plugin providing online marketers with the efficiency to provide an unintrusive modal to permit end customers of the site to examine and consent to receiving that web site’s cookies. It’s ideal for sites searching to maintain compliance with EU GDPR/Cookie Law rules. GDPR Cookie Consent presently has 700,000 energetic installs.
Earlier this 7 days, the GDPR Cookie Consent plugin was closed “pending a complete review” based on the plugin’s web page in the directory. Usually when plugins are shut in the WordPress plugins directory with out a clear cause, plugin users could be concerned or baffled. Because plugins can frequently be closed because of security issues, we made a decision to investigate to notice if this is the case. The growth log showed the newest revision with the log information “1.8.3 – PHP 7.4 compatibility – Safety fix”, therefore we made a decision to dig further in to the code changes to find out its severity to safeguard Wordfence users.
There were numerous code changes, but those highly relevant to security add a capabilities check put into an AJAX endpoint found in the plugin’s management pages.
Because the AJAX endpoint was designed to only be accessible to administrators, the vulnerability allows subscriber-level users to execute several actions that may compromise the web site’s safety.
There are 3 actions that the vulnerability exposes to subscribers:
get_policy_pageid will not do much apart from come back the post ID of the plugin’s configured cookie plan web page. There isn’t a lot danger with having this step open to subscribers.
autosave_contant_data is supposed to define the default articles that appears within the cookie plan preview page. The kept HTML content material is unfiltered and will contain cross-site scripting (XSS) payloads. The cookie plan preview web page is publicly obtainable to all customers, and these XSS payloads will undoubtedly be executed when going to http://<wordpress-site>/cli-policy-preview/.
save_contentdata is made to create or revise update the corresponding publish used because the GDPR Cookie Plan page that customers of the website would view to select whether to simply accept cookies from the website. The action requires a
page_id parameter plus a
content_information parameter which provides the post articles. The
web page_id parameter enables the attacker to up-date the blog post content of any posting. Additionally, it'll set the post standing to
draft, so attackers seeking to utilize this vulnerability for defacement earned’t have the ability to display the article content on track end customers of the website. It could possibly be used to eliminate posts and web pages from the public-facing part of the website though.
Since the write-up is in
draft status, the publish content will be noticeable to the blog post author, editors, and administrators. Automagically, when
wp_put in_post can be used for generating and updating blogposts, the post content material is tell you
wp_filter_post_kses that is WordPress’s HTML whitelist. It’s made to only allow particular HTML tags and features, and will strip away XSS payloads.
Because the posting content can contain shortcodes, an attacker can however make use of GDPR Cookie Consent’s built-within shortcodes to bypass the KSES filtration system. These shortcodes are usually parsed when seeing the rendered article in the browser. Right here’s a good example shortcode that may contained in the post articles which will render a valid XSS payload within the browser when looking at the post:
[cookie_accept color='" onmousemove=alert(/xss/);this.onmousemove=null; style="place:fixed;top:0;correct:0;base:0;left:0;" check="']
Because the write-up itself won't be open public on the website (because the post position offers been changed to
draft) the XSS payload can only just be executed by authors, editors, and administrators who view the publish.
- February 8, 2020 – GDPR Cookie Consent plugin is taken off the wordpress.org plugin directory.
- February 10, 2020 8:02 AM UTC – A patch fixing the vulnerability will be pushed to plugins.svn.wordpress.org.
- February 10, 2020 6:37 PM UTC – We deploy a firewall guideline to provide protection from this vulnerability to your Threat Protection Feed.
- February 11, 2020 10:00 PM UTC – GDPR Cookie Consent is usually re-opened up in the plugin directory with the patched edition designed for download.
- March 11, 2020 – Wordfence users nevertheless utilizing the free version have the firewall rule to safeguard their site.
Within today’s blog post, we detailed what sort of missing capabilities verify can result in stored cross-site scripting within the GDPR Cookie Consent plugin. This vulnerability provides been fixed in edition 1.8.3. We advise that users instantly update to the most recent version available. Websites running Wordfence Superior have already been protected from episodes from this vulnerability since February 10th. Websites running the free edition of Wordfence have the firewall principle update on March 11th, 2020.
In addition, the generic XSS protection included in our WAF blocked the XSS payloads delivered to just about all AJAX endpoints tested with this particular vulnerability. This XSS security is provided from the container with the Wordfence WAF, and contains been accessible all along to both superior and free customers.
Special because of Matt Rusnak and Ryan Britton for handling the original investigation into this vulnerability.
The post Improper Access Controls in GDPR Cookie Consent Plugin appeared first on Wordfence.