A patch released this week for WordPress GDPR Cookie Consent plugin used by more than 700,000 websites fixed critical vulnerabilities that would let attackers change and delete content as well as inject malicious JavaScript code.
The GDPR Cookie Consent plugin aids sites in complying with EU GDPR/Cookie Law regulations and is maintained by WebToffee.
Noting that even “users who do not use Wordfence Premium have a clear upgrade path” now that the patch is available, Wordfence described “how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it was removed from the repository” and released details on the vulnerability.
Essentially, a capabilities check added to an AJAX endpoint meant only to be used by administrators made it possible for “subscriber-level users to perform a number of actions” that could compromise site security.
“While consent management platforms (CMP) have been widely adopted, they have not been proven to honor consumer choice,” said The Media Trust CEO Chris Olson. “CMPs conform to a minimum standard and oftentimes provide outdated information to consumers.”
Calling CMPs useful, Olson points out each implementations vary, depending on vendor, in the way it captures consumer consent to meet a minimum standard. “Bottom line, the technologies that power the digital ecosystem are still fragmented and after almost two years of GDPR all that is being offered is a misplaced sense of trust,” he said.