Search criteria
8 vulnerabilities found for wp_cookie_consent by wpeka
CVE-2024-11724 (GCVE-0-2024-11724)
Vulnerability from nvd – Published: 2024-12-12 06:46 – Updated: 2024-12-12 14:45
VLAI?
Title
Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script
Summary
The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wplegalpages | Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent |
Affected:
* , ≤ 3.6.5
(semver)
|
Credits
Tieu Pham Trong Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T14:45:40.896917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T14:45:52.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) : WP Cookie Consent",
"vendor": "wplegalpages",
"versions": [
{
"lessThanOrEqual": "3.6.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T06:46:34.875Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a1de53-330f-49ab-a8f8-22753c62bd36?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3203552/gdpr-cookie-consent/tags/3.6.6/public/modules/script-blocker/class-wpl-cookie-consent-script-blocker.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) \u003c= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11724",
"datePublished": "2024-12-12T06:46:34.875Z",
"dateReserved": "2024-11-25T20:30:10.076Z",
"dateUpdated": "2024-12-12T14:45:52.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4869 (GCVE-0-2024-4869)
Vulnerability from nvd – Published: 2024-06-25 23:35 – Updated: 2024-08-01 20:55
VLAI?
Title
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header
Summary
The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpeka-club | Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) |
Affected:
* , ≤ 3.2.0
(semver)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T17:52:02.007262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T17:52:09.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/507b2e65-987b-4d4a-8a99-5366048d925e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/class-gdpr-cookie-consent-public.php#L793"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/modules/consent-logs/class-wpl-cookie-consent-consent-logs.php#L570"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy)",
"vendor": "wpeka-club",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Client-IP\u2019 header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T23:35:07.549Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/507b2e65-987b-4d4a-8a99-5366048d925e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/class-gdpr-cookie-consent-public.php#L793"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/modules/consent-logs/class-wpl-cookie-consent-consent-logs.php#L570"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-07T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-25T11:22:29.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ) \u003c= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4869",
"datePublished": "2024-06-25T23:35:07.549Z",
"dateReserved": "2024-05-14T12:51:46.101Z",
"dateUpdated": "2024-08-01T20:55:10.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3599 (GCVE-0-2024-3599)
Vulnerability from nvd – Published: 2024-05-02 16:52 – Updated: 2024-08-01 20:12
VLAI?
Summary
The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpeka-club | WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) |
Affected:
* , ≤ 3.0.2
(semver)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T19:17:17.312029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:20.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:08.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b9abbf1-d9f5-4406-9d0c-bc2f9891d0e8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3071278/gdpr-cookie-consent/tags/3.1.0/admin/class-gdpr-cookie-consent-admin.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy )",
"vendor": "wpeka-club",
"versions": [
{
"lessThanOrEqual": "3.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:52:03.427Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b9abbf1-d9f5-4406-9d0c-bc2f9891d0e8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3071278/gdpr-cookie-consent/tags/3.1.0/admin/class-gdpr-cookie-consent-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-16T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3599",
"datePublished": "2024-05-02T16:52:03.427Z",
"dateReserved": "2024-04-10T15:58:55.828Z",
"dateUpdated": "2024-08-01T20:12:08.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23678 (GCVE-0-2023-23678)
Vulnerability from nvd – Published: 2023-11-07 15:48 – Updated: 2024-09-05 14:19
VLAI?
Title
WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent Plugin <= 2.2.5 is vulnerable to CSV Injection
Summary
Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA & ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA & ePrivacy ): from n/a through 2.2.5.
Severity ?
7.2 (High)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPEkaClub | WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) |
Affected:
n/a , ≤ 2.2.5
(custom)
|
Credits
Rio Darmawan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/gdpr-cookie-consent/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpeka:wp_cookie_consent:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wp_cookie_consent",
"vendor": "wpeka",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:17:05.734285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:19:24.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "gdpr-cookie-consent",
"product": "WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy )",
"vendor": "WPEkaClub",
"versions": [
{
"changes": [
{
"at": "2.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA \u0026amp; ePrivacy ).\u003cp\u003eThis issue affects WP Cookie Consent ( for GDPR, CCPA \u0026amp; ePrivacy ): from n/a through 2.2.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ): from n/a through 2.2.5.\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T15:48:28.420Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/gdpr-cookie-consent/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.2.6 or a higher version."
}
],
"value": "Update to\u00a02.2.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Cookie Notice for GDPR, CCPA \u0026 ePrivacy Consent Plugin \u003c= 2.2.5 is vulnerable to CSV Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23678",
"datePublished": "2023-11-07T15:48:28.420Z",
"dateReserved": "2023-01-17T05:01:33.476Z",
"dateUpdated": "2024-09-05T14:19:24.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11724 (GCVE-0-2024-11724)
Vulnerability from cvelistv5 – Published: 2024-12-12 06:46 – Updated: 2024-12-12 14:45
VLAI?
Title
Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script
Summary
The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wplegalpages | Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent |
Affected:
* , ≤ 3.6.5
(semver)
|
Credits
Tieu Pham Trong Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T14:45:40.896917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T14:45:52.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) : WP Cookie Consent",
"vendor": "wplegalpages",
"versions": [
{
"lessThanOrEqual": "3.6.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T06:46:34.875Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a1de53-330f-49ab-a8f8-22753c62bd36?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3203552/gdpr-cookie-consent/tags/3.6.6/public/modules/script-blocker/class-wpl-cookie-consent-script-blocker.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) \u003c= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11724",
"datePublished": "2024-12-12T06:46:34.875Z",
"dateReserved": "2024-11-25T20:30:10.076Z",
"dateUpdated": "2024-12-12T14:45:52.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4869 (GCVE-0-2024-4869)
Vulnerability from cvelistv5 – Published: 2024-06-25 23:35 – Updated: 2024-08-01 20:55
VLAI?
Title
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header
Summary
The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpeka-club | Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) |
Affected:
* , ≤ 3.2.0
(semver)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T17:52:02.007262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T17:52:09.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/507b2e65-987b-4d4a-8a99-5366048d925e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/class-gdpr-cookie-consent-public.php#L793"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/modules/consent-logs/class-wpl-cookie-consent-consent-logs.php#L570"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy)",
"vendor": "wpeka-club",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Client-IP\u2019 header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T23:35:07.549Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/507b2e65-987b-4d4a-8a99-5366048d925e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/class-gdpr-cookie-consent-public.php#L793"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/3.2.0/public/modules/consent-logs/class-wpl-cookie-consent-consent-logs.php#L570"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-07T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-25T11:22:29.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ) \u003c= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4869",
"datePublished": "2024-06-25T23:35:07.549Z",
"dateReserved": "2024-05-14T12:51:46.101Z",
"dateUpdated": "2024-08-01T20:55:10.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3599 (GCVE-0-2024-3599)
Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2024-08-01 20:12
VLAI?
Summary
The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpeka-club | WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) |
Affected:
* , ≤ 3.0.2
(semver)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T19:17:17.312029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:20.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:08.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b9abbf1-d9f5-4406-9d0c-bc2f9891d0e8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3071278/gdpr-cookie-consent/tags/3.1.0/admin/class-gdpr-cookie-consent-admin.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy )",
"vendor": "wpeka-club",
"versions": [
{
"lessThanOrEqual": "3.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:52:03.427Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b9abbf1-d9f5-4406-9d0c-bc2f9891d0e8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3071278/gdpr-cookie-consent/tags/3.1.0/admin/class-gdpr-cookie-consent-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-16T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3599",
"datePublished": "2024-05-02T16:52:03.427Z",
"dateReserved": "2024-04-10T15:58:55.828Z",
"dateUpdated": "2024-08-01T20:12:08.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23678 (GCVE-0-2023-23678)
Vulnerability from cvelistv5 – Published: 2023-11-07 15:48 – Updated: 2024-09-05 14:19
VLAI?
Title
WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent Plugin <= 2.2.5 is vulnerable to CSV Injection
Summary
Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA & ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA & ePrivacy ): from n/a through 2.2.5.
Severity ?
7.2 (High)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPEkaClub | WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) |
Affected:
n/a , ≤ 2.2.5
(custom)
|
Credits
Rio Darmawan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/gdpr-cookie-consent/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpeka:wp_cookie_consent:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wp_cookie_consent",
"vendor": "wpeka",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:17:05.734285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:19:24.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "gdpr-cookie-consent",
"product": "WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy )",
"vendor": "WPEkaClub",
"versions": [
{
"changes": [
{
"at": "2.2.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA \u0026amp; ePrivacy ).\u003cp\u003eThis issue affects WP Cookie Consent ( for GDPR, CCPA \u0026amp; ePrivacy ): from n/a through 2.2.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ): from n/a through 2.2.5.\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T15:48:28.420Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/gdpr-cookie-consent/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.2.6 or a higher version."
}
],
"value": "Update to\u00a02.2.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Cookie Notice for GDPR, CCPA \u0026 ePrivacy Consent Plugin \u003c= 2.2.5 is vulnerable to CSV Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23678",
"datePublished": "2023-11-07T15:48:28.420Z",
"dateReserved": "2023-01-17T05:01:33.476Z",
"dateUpdated": "2024-09-05T14:19:24.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}