WordPress Plugin Vulnerabilities

WP Cookie Choice <= 1.1.0 - CSRF to Stored Cross-Site Scripting

Description

The plugin is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
wp-cookiechoise
No known fix

References

CVE
CVE-2021-24595

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
c809bdb3-d820-4ce1-9cbc-e41985fb5052

Timeline

Publicly Published
2021-09-20 (about 4 years ago)
Added
2021-09-20 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2025-04-10
Title
GB Gallery Slideshow <= 1.3 - Reflected Cross-Site Scripting
Published
2020-11-12
Title
Love Travel 2.0-3.8 - Unauthenticated Reflected XSS & XFS
Published
2025-01-16
Title
WP Intro.JS Plugin <= 1.1 - Reflected Cross-Site Scripting
Published
2024-10-30
Title
SEO Plugin by Squirrly SEO < 12.3.21 - Editor+ Stored XSS
Published
2025-02-02
Title
Social Links <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting