Scroll Top

Urgent bug fix for GDPR Cookie Consent plugin for WordPress

February 16, 2020

The popular GDPR Cookie Consent plugin, which has been downloaded over 700.000 times, was temporarily removed from the WordPress.org plugin repository earlier this week after the developer was notified of a critical bug. Two days later (on February 10) a new version 1.8.3 was released.

This new version contains a patch for this bug. Users are advised to update the plugin as quickly as possible.

About the GDPR Cookie Consent plugin

GDPR Cookie Consent is a popular WordPress plugin that helps website owners to comply with the General Data Protection Regulation (GDPR). The plugin creates a cookie banner that is displayed on the website and provides information about the cookies that the site uses. Visitors can accept the report or click through to a page with more information. As an admin user you can easily configure the cookie details from the backend. The list of cookies can be displayed on your cookie policy page using a shortcode. You can also adjust the colors, fonts, styles and positioning of the cookie banner so that it fits nicely with the design of your website. The plugin has more than 700,000 active installations. All websites that use an old version of the plugin (version 1.8.2 or older) are at risk.

 

Bug

The bug was discovered by Jerome Bruandet, a security researcher at NinTechNet. After informing the developer, he published a blog post describing the problem. This is a vulnerability that allows attackers to remove or modify content from the affected website. This can then be formatted text, images, hyperlinks and short codes.

It also allows for cross site scripting (XSS) attacks by saving the data into the cli_pg_content_data database field without validating it. An authenticated user can use it to inject JavaScript code, which will be loaded and executed each time someone, authenticated or not, visits the http://example.com/cli-policy-preview/ page.

Both Bruandet and Wordfence and the plugin developer themselves advise users to update to version 1.8.3 of the GDPR Cookie Consent plugin as quickly as possible.

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.

Related Posts

Injection vulnerability In WP Database Backup Plugin

Researchers of the Threat Intelligence team of WordFence have warned on Tuesday that WordPress plugin WP Database Backup contains a critical vulnerability. The developer has since patched this flaw. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more….

02 Jun 2019
WordPress 4.7.2 security update

WordPress 4.7.2 was released last Thursday, January 26th. WordPress have just announced that In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. Join Our Online Security and Hosting Newsletter Today and stay…

06 Feb 2017
Simple Social Buttons plugin for WordPress vulnerability patched

WPBrigade, the developer behind the Simple Social Buttons plugin, have just released a fix to a critical vulnerability. This vulnerability allows an attacker to completely take over a website. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more….

15 Feb 2019
WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation. Join Our Online Security and Hosting Newsletter Today and stay…

15 Sep 2015
vulnerability discovered in WooCommerce Checkout Manager

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

07 May 2019
Authentication bypass bugs in 3 plugins make 400.000 websites vulnerable

Researchers have discovered authorization bypass bugs in three WordPress plugins, making a total of 400,000 WordPress websites vulnerable to cyber attacks. The affected plugins are InfiniteWP, WP Time Capsule and the WP Database Reset plugin. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest…

23 Jan 2020
Three vulnerabilities in LearnPress discovered

Three vulnerabilities in LearnPress prior to version 3.1.0 have been discovered. LearnPress is a popular plugin with more than 50.000 installations for the WordPress CMS that can be used to create and sell courses online. LearnPress is similar to Moodle, an open source learning platform. Join Our Online Security…

13 Jan 2019
Media File Manager plugin for WordPress exploited

An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the mrelocator_getdir function of the file wp-admin/admin-ajax.php. A working exploit has been dislosed….

03 Feb 2019
Exploit WordPress Arigato Autoresponder and Newsletter v2.5.1.8

TheĀ Arigato Autoresponder and Newsletter by Kiboko Labs plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. Join Our Online Security and Hosting Newsletter…

28 Dec 2018
Vulnerabilities found in Newsletter plugin for WordPress

Newsletter, a free WordPress plugin with more than 300,000 installations, was found to contain multiple vulnerabilities that could eventually lead to the takeover of an affected website. The bugs were discovered by the Wordfence team who notified the developer of the plugin. Join Our Online Security and Hosting Newsletter…

07 Aug 2020
WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and…

11 Apr 2014
WordPress Sites Attacked Through Vulnerable Home Routers

Attackers are hijacking vulnerable home routers to launch attacks against WordPress sites. The attacks exploit two flaws in the TR-069 router management protocol to send malicious requests to port 7547. Experts have been advising home users to limit access to port 7547. Internet service providers (ISPs) could take steps…

16 Apr 2017
WordPress plugin Spambyebye vulnerable

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…

24 Jan 2019
Another WordPress commercial plugin gets exploited

And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january. In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus…

17 Feb 2019
Social Network Tabs plugin contains serious vulnerability

The popular WordPress plugin, Social Network Tabs, which has been downloaded over 53.000 times in the past 7 years and is used to help users share content on social media sites, left thousands of linked Twitter accounts exposed to compromise. Join Our Online Security and Hosting Newsletter Today and…

26 Jan 2019

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.
close-link
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy