WordPress DSGVO Plugin from legalweb.io hacked

Sicherheit (Pexels, allgemeine Nutzung)[German]The GDPR plugin for WordPress from the provider legalweb.io has been hacked. WordPress installations that have used this plugin are considered compromised. Users are being redirected to malware sites. Here is a brief summary of what I am aware of so far, based on a reader's tip.


Advertising

The WP DSGVO Tools (GDPR) plugin

The plugin has been decommissioned since September 20, 2021, as you can read on this shapepress-dsgvo plugin page from WordPress. Unfortunately, this description is pretty meaningless, you can just tell that this decommissioning is supposed to be temporary.

Hack of the DSGVO plugin from legalweb.io

German Blog reader Frank Z. already contacted me by mail on Sunday, Sept 25, 2021 (thanks for that). An acquaintance had contacted him because his WordPress installation had been hacked. Frank wrote me under the subject WordPress Hack with DSGVO plugin from legalweb.io the following:

Hello Günter,

today an acquaintance called me that his wordpress pages were hacked.

There was a redirect to another page. I looked at your blog first, but didn't really find anything.

I then pulled the WordPress database of the affected pages and looked for the redirect.

Was also quickly found, it concerned the DSGVO tool. Short check, the version is actually up to date. I deactivated the plugin and the redirect was gone.

Researched again and found this: firestorm.ch

I mean that affects some people with your sites, the plugin was not so really unpopular.

Have a nice sunday

The website firestorm.ch linked by Frank confirms this assumption and states the following:

The provider Legalweb with its popular WordPress tool DSGVO Tools (GPDR) has been hacked. All WordPress websites using this plugin are redirected to malware websites. Please act immediately and disable the plugin!

time there are more articles like this post reporting the facts. The site pluginvulnerabilities.com reports details in the article Recently Closed WordPress Plugin With 30,000+ Installs Contains Type of Vulnerability Hackers Target, dated  September 22, 2021. The plugin has more than 30,000 installs.


Advertising

In the vulnerable versions, there was a cross-site scripting (XSS) vulnerability in the settings. This allowed an attacker to run JavaScript code on the website. This is exactly what seems to have happened. The WordPRess support section for the plugin has this comment from legalweb, where the hack is confirmed for all versions <= 3.1.22.  I pull out this text in case it should be deleted:

In versions <= 3.1.22 attackers have managed to manipulate the scripts of the integrations.
Any code (html, js,..) can be entered into the input fields of our plugins. Even code that redirects to another page.
The attacker managed to inject code in the Matomo field, for example, which redirects to other pages.
Since Matomo is allowed to run without consent, the code in this field is automatically executed upon visit. Thus, the visitor was immediately redirected to another page.
However, this has nothing to do with Matomo, but could have been with any other integration.

We now have a version that should solve this problem.
However, since we are currently under review, we cannot provide the update in the usual form at this time.
It can be downloaded from the following link https://legalweb.io/spdsgvo-bin/shapepress-dsgvo.zip.
Once the review is done, the plugin can be updated normally again.

Important: All integrations will be deactivated for safety reasons. Please check the scripts of your integrations (Google Analytics, Matomo, …) if it is really still your code or if it is a "redirect script code". Only then activate the integration again.

You have to upload the zip via WordPress Plugin Installer and replace the existing plugin with it.

If I am affected

Those who use the provider's plugin should deactivate and delete it immediately. To do this, perform the following steps after logging into the WordPress dashboard.

  1. In the Dashboard under Plugins, deactivate the plugin in question WP DSGVO Tools (GDPR) and then have it uninstalled.
  2. Then, in an FTP program or in the WordPress hoster's dashboard, delete the following folder:
    /wp-content/plugins/shapepress-dsgvo/
  3. Now check in the WordPress dashboard under Settings -> General the two fields WordPress URL and Site Address URL, if the correct URL address is stored.

WordPress Settings

Finally you should clear the cache of plugins with caching function and change the WordPress passwords.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *