UK Cookie Consent <= 2.3.9 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2018-10310 | Plugin Vulnerabilities

Description

A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.

Tested on version 2.3.9 (older versions may also be affected)

Proof of Concept

1) Access WordPress control panel.
2) Navigate to the 'Pages'.
3) Add a new page and insert the script you wish to inject into the page title.
4) Now navigate to 'Settings' and select 'Cookie Consent'.
5) Now click on the 'Content' tab.
6) Your injected script will now be executed.

Affects Plugins

uk-cookie-consent

Fixed in 2.3.10

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/1863058/uk-cookie-consent

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

B0UG

Verified

No

WPVDB ID

18b9747f-1820-4754-b586-363c2ef8bda5

Timeline

Publicly Published

2018-04-24 (about 7 years ago)

Added

2018-04-26 (about 7 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-01-24

Title

Create with Code < 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-24

Title

Masy Gallery <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2016-07-19

Title

Ninja Forms <= 2.9.51 - Multiple Authenticated Cross-Site Scripting (XSS)

Published

2021-08-09

Title

Form Builder < 1.9.8.4 - Authenticated Stored Cross-Site Scripting

Published

2022-01-17

Title

MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting