WordPress Plugin Vulnerabilities

tarteaucitron.js - Cookies legislation & GDPR < 1.6.1 - Admin + Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Affects Plugins

Plugin icon
tarteaucitronjs
Fixed in 1.6.1

References

CVE
CVE-2021-36889

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ex.Mi
Verified
No
WPVDB ID
9e31f8f8-d541-4aa8-85d1-ce0d27b57899

Timeline

Publicly Published
2021-12-17 (about 4 years ago)
Added
2021-12-21 (about 4 years ago)
Last Updated
2022-04-13 (about 4 years ago)

Other

Published
Title
Published
2025-03-24
Title
WP Parallax Content Slider <= 0.9.8 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-10-24
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-24
Title
Post Grid and Gutenberg Blocks < 2.2.94 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-09
Title
Insert HTML Here <= 1.0 - Reflected Cross-Site Scripting
Published
2024-03-07
Title
Pz-LinkCard < 2.5.3 - Reflected XSS