Cookie Law Bar <= 1.2.1 – Authenticated Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin does not properly sanitise its Bar Message setting, allowing high privilege users to set an XSS payload in it, which will be triggered in all frontend page of the blog.

Proof of Concept

As admin, go the plugin settings (/wp-admin/options-general.php?page=clb) and set a payload such as <script>alert(/XSS/)</script> in the Bar Message field, then go on any frontend pages after saving the settings

Affects Plugins

No known fix

References

Exploitdb

URL

https://packetstormsecurity.com/files/#162763/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mesut Cetin

Verified

Yes

WPVDB ID

d2b3c245-385e-495e-a19e-730a1ee28906

Timeline

Publicly Published

2021-05-25 (about 4 years ago)

Added

2021-05-25 (about 4 years ago)

Last Updated

2021-05-26 (about 4 years ago)

Other

Published

Title

Published

2023-09-27

Title

Save as Image by Pdfcrowd < 2.16.1 - Admin+ Stored XSS

Published

2024-12-17

Title

Services updates for customers <= 1.0 - Reflected Cross-Site Scripting

Published

2025-07-16

Title

Welcart e-Commerce < 2.11.17 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2025-01-16

Title

Add custom content after post <= 1.0 - Reflected Cross-Site Scripting

Published

2021-10-15

Title

YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module