CVE-2021-24405 Information

Description

The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings allowing any authenticated users (such as subscriber) to change them. If users can’t register this can be done through CSRF. Furthermore the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one leading to a Stored Cross-Site Scripting issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reference

https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5 http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5