Under Attack: CVE-2023-6700 in ‘Cookie Information’ Plugin Threatens 100k WordPress Sites
In the ever-evolving Internet landscape, the importance of data privacy and compliance with regulations such as GDPR (General Data Protection Regulation) cannot be overstated. WordPress, one of the most popular content management systems, offers a plethora of plugins to assist website owners in adhering to these regulations. However, a critical security flaw in the ‘Cookie Information | Free GDPR Consent Solution‘ plugin, tracked as CVE-2023-6700, is being actively exploited by malicious actors.
The ‘Cookie Information | Free GDPR Consent Solution’ plugin is a valuable tool for website owners seeking GDPR compliance. It provides essential features like a free cookie pop-up and consent log. This plugin has over 100,000+ active installations. Unfortunately, it has also inadvertently introduced a severe security risk.
This vulnerability, rated with a CVSS score of 8.8, stems from a critical-severity PHP object injection issue. The flaw enables authenticated attackers, with subscriber-level access or higher, to exploit the plugin’s missing capability check on its AJAX request handler. This allows them to make arbitrary updates to site options, a dangerous capability that can lead to the creation of unauthorized administrator accounts.
WordPress security firm Wordfence has sounded the alarm, reporting over 1,400 blocked attacks targeting CVE-2023-6700 in the past 24 hours alone. The sheer volume of these attacks underscores the urgency of the situation. Malicious actors are actively seizing this opportunity to compromise websites and potentially gain unauthorized control.
In response to the critical vulnerability, the plugin vendor, Cookie Information, has released version 2.0.23. This update addresses the security flaw and fortifies the plugin’s defenses against exploitation. Users are strongly urged to upgrade to this latest version immediately to safeguard their websites and maintain GDPR compliance.
Failure to act swiftly can have severe consequences. A compromised website not only jeopardizes user data and trust but can also lead to regulatory penalties under GDPR. As data breaches continue to make headlines, organizations must prioritize security to protect their reputation and legal standing.
