Security researchers uncover major WebToffee GDPR Cookies Consent plugin vulnerability

Security researchers have identified a significant security flaw in the WebToffee GDPR Cookies Consent plugin that may potentially affect more than 30,000 businesses and millions of customers worldwide.

Recently, researchers at Zitec, a Romanian software company that provides software solutions in Europe, discovered a security vulnerability in the WebToffee GDPR Cookies Consent plugin. The vulnerability, identified as a blind XSS exploit, has the potential to expose the sensitive personal data of customers and jeopardise GDPR compliance which may result in fines of up to €20 million or 4% of global annual revenue.

The vulnerability was first identified during a routine testing carried out by Zitec’s cybersecurity audit team. “By simulating the actions of a regular user and analysing the plugin’s data handling processes, the team discovered a weakness in how user IP addresses were logged,” the company said.

“The plugin’s failure to validate HTTP headers allowed malicious actors to inject harmful code, compromising administrative control and putting countless users at risk,” it added.

Soon after it identified the security flaw in the Cookies Consent plugin, Zitec contacted WebToffee and collaborated with the firm to implement security patches immediately, ensuring that only valid, properly formatted inputs would be accepted.

Commenting on this, Lucian Daia, CTO of Zitec, said: “As malicious actors get smarter and vulnerabilities become more widespread, it’s imperative that companies implement strong cybersecurity management into their operations.

"The recent flaw that the security team identified in the plugin is a powerful reminder of how easily unseen vulnerabilities can wreak havoc. With upcoming legislation like DORA setting more defined compliance requirements, regular testing and proactive measures, can make all the difference for protecting customer data, maintaining trust, and meeting stringent regulations.”