Stored Cross-Site Scripting Vulnerability in WP Cookie Consent Plugin
CVE-2024-4869

7.2HIGH

Key Information:

Vendor
Wordpress
Status
Cookie Consent For WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for Gdpr, Ccpa & Eprivacy)
Vendor
CVE Published:
26 June 2024

Summary

The WP Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting, primarily through the manipulation of the 'Client-IP' header. This vulnerability exists in all versions up to and including 3.2.0 due to inadequate input sanitization and insufficient output escaping. Consequently, unauthenticated attackers can exploit this weakness to inject arbitrary web scripts into pages. These scripts can execute whenever a user accesses the compromised page, posing a significant threat to the security and integrity of the affected WordPress installations.

Affected Version(s)

Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) * <= 3.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/gdpr-cookie-co...
https://plugins.trac.wordpress.org/browser/gdpr-cookie-co...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

Credit

Krzysztof Zając
.