CVE-2024-11724

Description

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected products

wplegalpages / Cookie Banner for GDPR / CCPA – WPLP Cookie Consent0 – 3.6.5

References

MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/e9a1de53-330f-49ab-a8f8-22753c62bd36?source=cve
MISChttps://plugins.trac.wordpress.org/changeset/3203552/gdpr-cookie-consent/tags/3.6.6/public/modules/script-blocker/class-wpl-cookie-consent-script-blocker.php