WordPress Plugin Vulnerabilities

Cookie Notice & Compliance for GDPR / CCPA < 2.4.7 - Contributor+ XSS

Description

The plugin does not validate and escape some of its cookies_revoke shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
cookie-notice
Fixed in 2.4.7

References

CVE
CVE-2023-24400

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
97809791-f83e-4cf3-8ec5-1672d3dd36c8

Timeline

Publicly Published
2023-03-02 (about 3 years ago)
Added
2023-05-08 (about 2 years ago)
Last Updated
2023-05-08 (about 2 years ago)

Other

Published
Title
Published
2024-12-16
Title
Portfolio – Filterable Masonry Portfolio Gallery for Professionals <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-10-24
Title
ProfileGrid < 5.1.1 - Reflected Cross-Site Scripting
Published
2026-02-26
Title
Responsive Zoom In/Out Slider WordPress Plugin <= 5.4.5 - Reflected Cross-Site Scripting
Published
2022-02-02
Title
CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
Published
2023-09-15
Title
Horizontal scrolling announcement for WordPress <= 9.2 Contributor+ Stored XSS