Vulnerability in WP DSGVO Tools (GDPR) Plugin Allows Unauthenticated Page Deletion
Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
On September 27, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability we found in WP DSGVO Tools (GDPR), a WordPress plugin with over 30,000 installations. We were investigating the plugin to verify that our customers were fully protected from an actively exploited XSS issue, and found a flaw that allowed unauthenticated attackers to completely and permanently delete arbitrary posts and pages on a website.
After we found a viable communication channel, the plugin’s developer responded and we sent over full disclosure on September 30, 2021. A patched version, 3.1.24, which included a fix for both this issue and a separate XSS vulnerability, was made available the same day.
We released a firewall rule to protect Wordfence Premium customers against the post deletion vulnerability on September 27, 2021, and this rule became available to free Wordfence users 30 days later, on October 27, 2021.
All Wordfence users, including Wordfence free users, were already protected against XSS exploits by the Wordfence firewall’s built-in XSS protection, though we did add some additional protection in the new rule to prevent attackers from causing nuisance issues via the AJAX action used for the XSS vulnerability.
Affected Plugin: WP DSGVO Tools (GDPR)
Plugin Slug: shapepress-dsgvo
Affected Versions: <= 3.1.23
CVE ID: CVE-2021-42359
CVSS Score: 7.5(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.24
The WP DSGVO Tools (GDPR) plugin contains functionality to let users request their personal information to be removed from a site. It also contained an AJAX action, admin-dismiss-unsubscribe, to allow administrators to “dismiss” these removal requests. The requests were stored in the WordPress posts
table, so “dismissing” a data removal request simply involved deleting the associated post ID.
Unfortunately, the AJAX action was available to unauthenticated users, and the plugin did not check to see if the post to be deleted was actually a data removal request. As such, it was possible for any site visitor to delete any post or page on the site by sending an AJAX request with the admin-dismiss-unsubscribe
action along with the ID of the post to be deleted. Sending the AJAX request once would move the post to the trash, while repeating the request would permanently delete it.
While it is true that site defacements have become less popular in recent years as they are more difficult to monetize, it would be trivial for an attacker to delete most of a site’s content in a way that would be impossible to recover unless the site’s database had been backed up. As with the recently disclosed site deletion vulnerability in HashThemes Demo Importer, this vulnerability stresses the importance of maintaining regular back-ups so in the event that information goes missing on a site, it can easily be restored.
Timeline
September 27, 2021 – While investigating a recently reported XSS vulnerability in WP DSGVO Tools (GDPR), we find a separate vulnerability. We release a firewall rule to protect Wordfence Premium customers and initiate the disclosure process.
September 30, 2021 – We send over full disclosure for the vulnerability we found. A patched version of the plugin, 3.1.24, becomes available.
October 27, 2021 – The firewall rule becomes available to free Wordfence users.
Conclusion
In today’s article, we covered a vulnerability in WP DSGVO Tools (GDPR) that allowed unauthenticated attackers to permanently delete any post or page on a site.
Wordfence Premium users have been protected against this vulnerability since September 27, 2021, while sites still running the free version of Wordfence received the same protection 30 days later, on October 27, 2021. All Wordfence users are protected against the separate XSS issue by the Wordfence firewall’s built-in XSS protection.
We strongly recommend updating to the latest version of the plugin available immediately, which is 3.1.26 as of this writing, as it contains fixes for both the post deletion vulnerability and the XSS issue.
The Wordfence Threat Intelligence team regularly publishes our own research, but we also spend a lot of time making sure our users are protected from vulnerabilities discovered by other researchers. Not only does this ensure that our users have the best security in the industry, but we frequently discover additional vulnerabilities while doing so. This helps to make WordPress a safer ecosystem, and all of it is made possible by our Premium customers.
If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments