WordPress GDPR Plugin Hacked - Learn How to Protect your Website

Update your WordPress plugin "GDPR"


WordPress GDPR Plugin Hacked - Learn How to Protect your Website

WordPress GDPR is a plugin supported by Wordpress which helps the websites built on the WordPress platform to comply with European privacy regulations. This is installed over 1,00,000 sites and the current version of the plugin is 1.4.3.


The attack on WordPress GDPR Plugin:

The sites using WordPress GDPR plugin whose version before 1.4.3 are attacked by hackers. The hackers have exploited many sites and changed their URL similar to "hxxp://erealitatea[.]net".


The vulnerability in the plugin is present in the module that is designed to improve the data health and general security. The vulnerability enables the hackers to get more privilege to attackers to modify the data of the site.


The problem with the plugin before version 1.4.3 is the "save_settings option" is not properly configured. Because of this, the hacker can hack these sites.

Types of Exploitation of WordPress GDPR:

Getting Admin Access by modifying Settings: This involves actions like changing settings of the site, allowing the new user to create an account and changing his role to the administrator which is used to exploit the site

Change of Site URL: 

This involves change in the URL of the site like hxxps://pastebin[.]com/raw/V8SVyu2P? or hxxp://erealitatea[.]net

Attack using Cron Scheduler: 

Using the bug in the plugin, the hackers install the 2MB Autocode plugin which is later used to add the backdoor script to the site names wp_cache.php

How to Resolve the attack on Sites:

Site admins who are using WordPress GDPR can check whether the hackers exploited their site or not. If the site is attacked, Go the database table wp_options of the site and manually edit the site URL and domain too. Once the URL is modified, the site works back normally.

After this, check for Suspicious changes or uploads in the site. Then update the WordPress GDPR plugin to version 1.4.3 to be safe from attack.


The situation of Attacked Sites:

As of now, hackers have not done anything malicious on the attacked sites like SEO Spam. So, the owners of attacked sites better remove or update the plugin and remove suspicious backdoors present if any before it takes a hit in SEO rankings.


Knowing Attacked Sites:

The following are the indicators that the site is exploited:
  • Admin Creation Using IP’s 234.39.250 234.37.214
  • Cron Injection Using 39.65.176 123.213.91
  • Sudden installation of 2 MB Autocode



Suggestion to be safe from attacks:

Always make sure that all the plugins used by sites built on any platform are up to date. Also, periodically scan the website for infection using any one of the below links:



Post a Comment

0 Comments