Security issue on this website had been fixed: Zero-day exploit through 3rd party plug-in

Sep 27, 2021

Dear customers and website visitors,
on Monday, 2021-09-27 we had been informed that our website active-directory-wp.com redirected to various malicious websites. After investigating this incident, it turned out that the plug-in shapepress-dsgvo had security issues. Those issues had been exploited to initiate redirections to other websites.

We

  • did various security scans
  • checked for file and database modifications before and after removing the vulnerable plug-in from our website.
  • checked the source code of the vulnerable plug-in on our own.

Our investigation conlcudes:

  • No files in our WordPress instance had been modified.
  • Data stored in our WordPress database (including customer- or payment-related information) had been neither accessed nor modified. There had been no unauthorized access to your data.
  • Cookies should not have been stolen. The exploit only redirected to other websites but did not pass on any cookies or authentication information.
  • NADI’s source code in our public GitHub repository had not been modified.
  • No NADI installation had been affected. This had been only an issue on our website.

As always for any security issues, if you had logged on during ~2021-09-20 and 2021-09-27 16:00 GMT+2, you should change your password for your customer account.

We are really sorry for the inconveniences and are hoping to not lose your trust. Security had been and will always be the main driver behind Next Active Directory Integration and our related work.
Please don’t hesitate to get directly in contact with us through support [at] active-directory [dot] com if you have any further questions.

Timeline

  • Monday, 2021-09-20 10:00 GMT: Latest regular scheduled check for updates for this WordPress instance
  • On Monday, 2021-09-20: shapepress-dsgvo had been disabled in the public WordPress repository.
  • Thursday, 2021-09-22: Public disclosure of the exploit
  • Friday, 2021-09-23: Unrelated maintanences on active-directory-wp.com; website had no redirects
  • Probably on Saturday, 2021-09-25 or Sunday, 2021-09-26: Activation of the exploit
  • Monday, 2021-09-27: Notification of the security issue; removement of exploited plug-in