DSGVO ❗ MASSIVE SECURITY GAP IN WP-PLUGIN

007_SEO-Marketing (1)
Element 19Element 20Element 21Element 22
telekomknowhowstadt leverkusentblwekahostPresspagerangerssemrushsistrixxovi_schwarz

A serious security vulnerability

have been proven by experts in the WordPress plugin that is supposed to support compliance with the new GDPR. This enables the unauthorized creation of admin accounts, for example. Numerous WordPress users have recently reported precisely this problem.

The plugin is called WP GDPR Compliance and is designed to support compliance with the new EU GDPR. It has already been installed over 100,000 times for this purpose. At the beginning of November, there were an increasing number of reports in the relevant blogs about strange occurrences in connection with the WordPress plugin.

Plugin has been installed and activated several times

A frequent observation from those affected was the repeated installation and activation of WP GDPR compliance without any action on the part of the website operator. Such a process immediately suggests unauthorized access by an external user, which is why users were alarmed and reported the incident in many cases.

Plugin team reacted quickly

Just one day later, the plugin review team released version 1.4.3. We strongly recommend that you update to version 1.4.3 if you want to use the WordPress plugin. It is also essential to check whether a new user account has already been created or, in other words, whether the loophole has already been exploited.

User identified cause

It was a user who identified the WordPress GDPR plugin as the cause of the unusual problems through a test. On November 6, 2018, the administrators reacted and removed the plugin from the directory of the content management system. Users were informed about this step in a support thread.

Forced update is checked

Guaranteed security would only be ensured for all users if a forced update were necessary for the continued operation of the GDPR plugin in the future. According to the support thread, there is already an exchange between the plugin directory team and the plugin authors. We will jointly examine whether a forced update can be implemented in this context. More information can be found on the blog of the plugin website.