WordPress Plugin Vulnerabilities

tarteaucitron.js - Cookies legislation & GDPR < 1.6 - CSRF to Stored Cross-Site Scripting

Description

The plugin does not have CSRF check in place in its settings, as well as does not sanitise and escape them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks against them

Affects Plugins

Plugin icon
tarteaucitronjs
Fixed in 1.6

References

CVE
CVE-2021-36887

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Julio Potier
Verified
No
WPVDB ID
bb29b1de-c38f-45ea-aaf8-3696097af65e

Timeline

Publicly Published
2021-12-09 (about 4 years ago)
Added
2021-12-21 (about 4 years ago)
Last Updated
2022-04-13 (about 4 years ago)

Other

Published
Title
Published
2024-11-22
Title
Zajax – Ajax Navigation <= 0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-26
Title
Sync Feedly <= 1.0.1 - Cross-Site Request Forgery to Sync Trigger
Published
2023-03-31
Title
Health Check & Troubleshooting < 1.6.0 - CSRF
Published
2024-04-16
Title
PeproDev CF7 Database < 1.9.0 - Cross-Site Request Forgery
Published
2024-01-12
Title
WP Spell Check < 9.18 - Cross-Site Request Forgery