Cookie Bar < 1.8.9 – Admin+ Stored Cross-Site Scripting | CVE 2021-24653 | Plugin Vulnerabilities

Description

The plugin doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Add the following payload in the "Cookie Bar Message" setting of the plugin (/wp-admin/options-general.php?page=cookie-bar-settings): <img src onerror=alert(/XSS/)>

Then access the frontend (with any user/unauthenticated user) to trigger the XSS

Affects Plugins

Fixed in 1.8.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

pang0lin@webray.com.cn inc

Submitter

pang0lin@webray.com.cn inc

Submitter website

https://github.com/pang0lin

Verified

Yes

WPVDB ID

bfa8f46f-d323-4a2d-b875-39cd9b4cee0a

Timeline

Publicly Published

2021-09-22 (about 4 years ago)

Added

2021-09-22 (about 4 years ago)

Last Updated

2023-02-03 (about 2 years ago)

Other

Published

Title

Published

2025-08-25

Title

Responsive Mobile-Friendly Tooltip <= 1.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-28

Title

WP Posts Carousel < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-03-30

Title

Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting

Published

2024-09-30

Title

DethemeKit For Elementor < 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-24

Title

Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery ) <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload