C3P0D4Y

**Name of the Vulnerable Software and Affected Versions** Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress versions up to, and including, 2.4.17.1 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute when a user accesses the injected /wp-admin/admin.php?page=cookie-notice page. The issue affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 2.4.17.1, update to a version higher than 2.4.17.1 to resolve the issue. As a temporary workaround, consider restricting access to the `cookie notice options[refuse code head]` parameter and the /wp-admin/admin.php?page=cookie-notice page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Popup Maker WordPress plugin versions prior to 1.16.11 **Description** The issue allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins, due to the plugin not sanitising and escaping some of its Popup options. **Recommendations** For versions prior to 1.16.11, update to version 1.16.11 or later to resolve the issue. As a temporary workaround, consider restricting the Contributor role's access to the plugin's options to minimize the risk of exploitation.