The General Protection Data Regulation (GDPR) is supposed to make companies take extra care with their customers’ personal data. That includes gathering explicit consent to use information and keeping it safe from identity thieves.
WP GDPR Compliance is a plugin that allows WordPress website owners to add a checkbox to their websites. The checkbox allows visitors handing over their data to grant permission for the site owners to use it for a defined purpose, such as handling a customer order. It also allows visitors to request copies of the data that the website holds about them.
Users send these requests using
The GDPR plugin also allows users to configure it via
admin-ajax.php, and that’s where the trouble begins. Attackers can send it malicious commands, which it stores and executes. They can use this to trigger WordPress actions of their own.