WordPress Plugin Vulnerabilities

EU Cookie Law < 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)

Description

By exploiting the documented vulnerability, an authenticated attacker with high privileges (administrator) can execute JavaScript code in a victim's browser. By default, in WordPress, administrator users are allowed to inject JavaScript as they have the unfiltered_html capability. The affected form also had Cross-Site Request Forgery (CSRF) protections in place, further lowering the risk of the issue.

The vendor released a fix in version 3.1 but it was not sufficient as it could be easily bypassed.

Due to the mitigating factors, this issue is extremely low risk.

Affects Plugins

Plugin icon
eu-cookie-law
Fixed in 3.1.3

References

CVE
CVE-2019-16522
URL
https://wordpress.org/support/topic/security-waring-by-shield-security/
URL
https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law
URL
https://plugins.trac.wordpress.org/changeset/2176080
URL
https://plugins.trac.wordpress.org/changeset/2329416/eu-cookie-law

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.3 (low)

Miscellaneous

Original Researcher
Tobias Fink (SBA Research)
Verified
No
WPVDB ID
aa42a023-20fc-40b8-b8b8-1a7dfca71525

Timeline

Publicly Published
2019-10-16 (about 6 years ago)
Added
2019-10-16 (about 6 years ago)
Last Updated
2020-06-24 (about 5 years ago)

Other

Published
Title
Published
2024-10-29
Title
Subscribe to Comments < 2.3.1 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Userbase Access Control <= 1.0 - Reflected Cross-Site Scripting
Published
2024-05-29
Title
Gum Elementor Addon < 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets
Published
2021-07-21
Title
Maintenance < 4.03 - Authenticated Stored XSS
Published
2024-05-20
Title
Simple Popup Manager <= 1.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting