A patch released this week for WordPress GDPR Cookie Consent plugin used by more than 700,000 websites fixed critical vulnerabilities that would let attackers change and delete content as well as inject malicious JavaScript code.

The GDPR Cookie Consent plugin aids sites in complying with EU GDPR/Cookie Law regulations and is maintained by WebToffee.

Noting
that even “users who do not use Wordfence Premium have a clear upgrade path”
now that the patch is available, Wordfence described
“how improper
access controls lead to a stored cross-site scripting vulnerability in the GDPR
Cookie Consent plugin that emerged after it was removed from the repository” and
released details on the vulnerability.

Essentially, a capabilities
check added to an AJAX endpoint meant only to be used by administrators made it
possible for “subscriber-level users to perform a number of actions” that could
compromise site security.

“While consent management platforms (CMP)
have been widely adopted, they have not been proven to honor consumer choice,”
said The Media Trust CEO Chris Olson. “CMPs conform to a minimum standard and
oftentimes provide outdated information to consumers.”

Calling CMPs useful, Olson points out each
implementations vary, depending on vendor, in the way it captures consumer
consent to meet a minimum standard. “Bottom line, the technologies that power
the digital ecosystem are still fragmented and after almost two years of GDPR
all that is being offered is a misplaced sense of trust,” he said.