CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GDPR Info Cookie Notice & Consent Banner for GDPR & CCPA Compliance cookie-notice-and-consent-banner allows Stored XSS.This issue affects Cookie Notice & Consent Banner for GDPR & CCPA Compliance: from n/a through <= 1.7.11.
Explanation of Vulnerability in Simple Terms
A stored cross-site scripting (XSS) vulnerability exists in Cookie Notice & Consent Banner for GDPR & CCPA Compliance versions up to 1.7.11. An authenticated user with low privileges can inject malicious scripts that execute in the browsers of other site visitors, potentially stealing session tokens or performing actions on their behalf. The vulnerability requires user interaction and affects the integrity and confidentiality of visitor data.
What an attacker can do
Inject malicious scripts that run in other users' browsers to steal data or perform unauthorized actions.
Potential impact on your site
Visitor accounts and data can be compromised if an authenticated user injects XSS payloads into the plugin's settings or content.
Conditions required to exploit
Attacker must have low-level authenticated access and trick a site admin or higher-privileged user into viewing the malicious payload.
Key dates
External resources
Related vulnerabilities
