Cookie Notice & Compliance for GDPR / CCPA < 2.4.18 – Admin+ Stored XSS | CVE 2022-3399 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the 'cookie_notice_options[refuse_code_head]' parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative privileges and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected /wp-admin/admin.php?page=cookie-notice page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 2.4.18

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/73fd35b4-16b3-4f57-a3e4-46e4de0ee822

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

c3p0d4y

Verified

No

WPVDB ID

b86946a4-ddbb-430d-a2d6-d7ca6b1cb4be

Timeline

Publicly Published

2024-08-15 (about 1 year ago)

Added

2024-08-16 (about 1 year ago)

Last Updated

2024-11-29 (about 1 year ago)

Other

Published

Title

Published

2024-11-26

Title

Counter Up – Animated Number Counter & Milestone Showcase < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-04-09

Title

BigBlueButton < 2.2.4 - Reflected Cross-Site Scripting (XSS)

Published

2021-08-16

Title

Email Artillery <= 4.1 - Multiple Authenticated SQL Injections

Published

2024-11-26

Title

Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wdo_pricing_tables Shortcode

Published

2024-12-11

Title

Add infos to the events calendar < 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting