WP GDPR Compliance 1.4.3 Security Release

WordPress GDPR Compliance 1.4.3 is now available. This is a security release for all previous versions and we strongly encourage you to update immediately.

Download 1.4.3 or venture over to Dashboard → Updates and simply click “Update Now”.

Fix

After 1.4.3 became available hackers started to actively target previous versions. Anyone who didn’t update the plugin right away on November 7th, 2018 should look for changes in their database. Most noticeably there will be one or several users you don’t recognise with admin rights. Any account that you do not recognise should be deleted.

If possible we recommend restoring a complete backup of your site from before November 6th, 2018. After restoring please update to 1.4.3 right away.

There are also tools (freely) available that help you clean your database of any malicious injections.

We asked the Plugin Directory Team to see if there’s a possibility for a forced plugin update but they told us that is not an option.

Discovery

The vulnerabilities were reported to us by the WordPress.org Plugin Directory Team on Tuesday, November 6th 2018. Thanks to their thorough analyses and quick response we were able to release 1.4.3 within 24 hours.

Changelog

Wrong handling of possible user input in combination with unsafe unserialization can make previous versions vulnerable to SQL injection.

* Security fix: Removed base64_decode() function.
* Security fix: Correctly escape input in $wpdb->prepare() function.
* Security fix: Only allow modifying WordPress options used by the plugin and by the user capabilities.

WordPress 4.9.6 supports GDPR!

Good news from the WordPress Core team: 4.9.6 gives site owners several privacy related functions.

  • WordPress Comments now show a checkbox to explicitly save your data for the next visit. If you don’t tick it your data will not be saved when you end the session.
  • You can easily add your Privacy Policy to the standard WordPress register and login box.
  • User data can be exported or erased.

Third-party plugins will be able to designate personal data in their plugin so the Core function to export or erase knows what data is present.

Handy features to help everyone take care of several parts of GDPR.

Right now it is not possible to let visitors directly request their data through Core. Something that is available through the WP GDPR Compliance plugin. Be on the lookout for future releases as we’ll also take care of cookie consent for you.