Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
On September 27, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability we found in WP DSGVO Tools (GDPR), a WordPress plugin with over 30,000 installations. We were investigating the plugin to verify that our customers were fully protected from an actively exploited XSS issue, and found a flaw that allowed unauthenticated attackers to completely and permanently delete arbitrary posts and pages on a website.
After we found a viable communication channel, the plugin’s developer responded and we sent over full disclosure on September 30, 2021. A patched version, 3.1.24, which included a fix for both this issue and a separate XSS vulnerability, was made available the same day.
We released a firewall rule to protect Wordfence Premium customers against the post deletion vulnerability on September 27, 2021, and this rule became available to free Wordfence users 30 days later, on October 27, 2021.
All Wordfence users, including Wordfence free users, were already protected against XSS exploits by the Wordfence firewall’s built-in XSS protection, though we did add some additional protection in the new