Cookie Notice & Compliance for GDPR / CCPA < 2.1.2 - Admin+ Stored Cross-Site Scripting
CVE-2021-24569

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Cookie Notice & Compliance For Gdpr / Ccpa
Vendor: CVE Published:; 27 September 2021

Summary

The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.

Affected Version(s)

Cookie Notice & Compliance for GDPR / CCPA 2.1.2

References

https://wpscan.com/vulnerability/38053e05-4b17-4fa9-acd3-...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 27, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

Asif Nawaz Minhas