WordPress Plugin Vulnerabilities

Beautiful Cookie Consent Banner < 2.10.2 - Unauthenticated Stored XSS

Description

The plugin does not have authorisation and CSRF check when updating its settings, and does not escape some of them when outputting them, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks. An initial fix was released in version 2.10.1, and completed in 2.10.2.

Note: The issue is being actively exploited

Proof of Concept

Affects Plugins

Plugin icon
beautiful-and-responsive-cookie-consent
Fixed in 2.10.2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Verified
Yes
WPVDB ID
438c6818-cace-410b-ace3-325e5ea06365

Timeline

Publicly Published
2023-02-13 (about 2 years ago)
Added
2023-02-05 (about 2 years ago)
Last Updated
2023-02-06 (about 2 years ago)

Other

Published
Title
Published
2024-09-12
Title
WP Meta SEO < 4.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-22
Title
Rank Math SEO with AI SEO Tools < 1.0.217 - Contributor+ Stored Cross-Site Scripting via 'titleWrapper'
Published
2021-07-12
Title
Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)
Published
2021-08-24
Title
Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting
Published
2024-08-28
Title
Nested Pages <= 3.2.8 - Editor+ Stored XSS