Monday, April 19, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent

February 14, 2020
in Internet Security
Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Threat Intelligence Index Report from IBM X-Force
Christopher Scott, Global remediation lead, IBM X-Force incident response and intelligence services, sits down with Tonya Hall to talk about the latest Threat Intelligence Index Report and its findings, including that unpatched systems are a leading vulnerability while the finance and retail industries are two of the top industry cyber targets.

Critical security issues caused by improper access controls in a WordPress plugin designed for GDPR cookie compliance have been resolved, but hundreds of thousands of websites may still be vulnerable to attack. 

You might also like

Security crucial as 5G connects more industries, devices

Google releases Chrome 90 with HTTPS by default and security fixes

SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack

The GDPR Cookie Consent plugin, offered by developer Cookie Law Info through WebToffee, has been designed to help ensure websites are compliant with the EU’s General Data Protection Regulation (GDPR); specifically, obtaining consent for cookies from visitors, the creation of a Privacy & Cookies Policy page and the enablement of banners showing compliance.

The plugin accounts for over 700,000 active installs according to the WordPress library. 

On January 28, NinTechNet researcher Jerome Bruandet discovered a vulnerability affecting GDPR Cookie Consent version 1.8.2 and below.

See also: Enterprise companies struggle to control security certificates, cryptographic keys

The security flaw, of which a CVE number has been requested, is a critical issue caused by missed capabilities checks, leading to authenticated, stored cross-site scripting (XSS) and potentially privilege escalation.

A vulnerable AJAX endpoint is the root cause of the problem, in which a failure to implement checks meant that three actions were exposed: get_policy_pageid, autosave_contant_data, and save_contentdata.

According to WordPress security organization WordFence, “because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security.”

While get_policy_pageid only offers the post ID of a cookie policy page and does not, therefore, pose much harm, the exposure of autosave_contant_data — (spelling mistake in the code) — a function intended for the definition of default content in the policy preview page means that this page could be injected with XSS payloads. 

Malicious payloads could then be executed that load when http:// websitename /cli-policy-preview/ is visited by members of the public.

In addition, save_contentdata is intended for use in creating or updating the post used for the policy page, and so exposure could permit attackers to change the post content in a number of different ways. 

CNET: IPVanish vs. ExpressVPN: Security, speed and price compared

“An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from “published” to “draft,”” Bruandet said. 

It may also be possible to use this action to delete material or inject content including “formatted text, local or remote images as well as hyperlinks and shortcodes,” the researcher says.

TechRepublic: Cloud computing security: These two Microsoft tools can help you battle shadow IT

The severe vulnerability was reported to the developer on February 4. The plugin was temporarily removed from the WordPress.org directory pending a fix on February 8. A patch was made available two days later and was pushed to plugins.svn.wordpress.org. 

It is recommended that GDPR Cookie Consent plugin users make sure they are using the latest version of the software, 1.8.3, to stay protected. At the time of writing, 64.5 percent of users have updated — with thousands of websites left to go. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Credit: Zdnet

Previous Post

Jeff Bezos Cashed Out $4 Billion in Amazon Stock For a Mighty Shopping Spree

Next Post

Highly Effective Leaders vs. Ineffective Managers

Related Posts

Security crucial as 5G connects more industries, devices
Internet Security

Security crucial as 5G connects more industries, devices

April 17, 2021
Google releases Chrome 90 with HTTPS by default and security fixes
Internet Security

Google releases Chrome 90 with HTTPS by default and security fixes

April 17, 2021
SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021
Internet Security

SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack

April 17, 2021
Google Project Zero testing 30-day grace period on bug details to boost user patching
Internet Security

Google Project Zero testing 30-day grace period on bug details to boost user patching

April 17, 2021
Cyberattack on UK university knocks out online learning, Teams and Zoom
Internet Security

Cyberattack on UK university knocks out online learning, Teams and Zoom

April 17, 2021
Next Post
Highly Effective Leaders vs. Ineffective Managers

Highly Effective Leaders vs. Ineffective Managers

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine Learning Helps Optimize Therapeutic Antibodies
Machine Learning

Machine Learning Helps Optimize Therapeutic Antibodies

April 18, 2021
Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights
Machine Learning

Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights

April 18, 2021
Automating Drug Discovery With Machine Learning
Machine Learning

Automating Drug Discovery With Machine Learning

April 18, 2021
Twitter aims to fight bias by examining its own machine learning algorithms
Machine Learning

Twitter aims to fight bias by examining its own machine learning algorithms

April 18, 2021
Make Machine Learning Interpretable with Shapash
Machine Learning

Make Machine Learning Interpretable with Shapash

April 18, 2021
Why the Patent Classification System Needs an Update
Machine Learning

Why the Patent Classification System Needs an Update

April 18, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Machine Learning Helps Optimize Therapeutic Antibodies April 18, 2021
  • Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights April 18, 2021
  • Automating Drug Discovery With Machine Learning April 18, 2021
  • Twitter aims to fight bias by examining its own machine learning algorithms April 18, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates