CVE-2024-8397

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context.
Configurations

No configuration.

History

17 May 2025, 04:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4

16 May 2025, 14:42

Type Values Removed Values Added
Summary
  • (es) El complemento webtoffee-gdpr-cookie-consent de WordPress, anterior a la versión 2.6.1, no depura ni escapa correctamente los encabezados IP al registrarlos, lo que permite a los visitantes realizar ataques de Cross-Site Scripting. El payload se activa cuando un administrador visita la página "Consent report" y el script malicioso se ejecuta en el contexto del administrador.

15 May 2025, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-05-15 20:15

Updated : 2025-05-17 04:16


NVD link : CVE-2024-8397

Mitre link : CVE-2024-8397

CVE.ORG link : CVE-2024-8397


JSON object : View

Products Affected

No product.

CWE

No CWE.