CVE-2021-24405

Name of the Vulnerable Software and Affected Versions Easy Cookies Policy WordPress plugin versions 1.6.2 and earlier

Description The issue allows any authenticated users, such as subscribers, to change settings due to a lack of capability and CSRF checks. This can also be exploited through CSRF if user registration is not possible. Additionally, the cookie banner setting is not properly sanitized or validated before being output on all frontend and backend pages, leading to a Stored Cross-Site Scripting issue.

Recommendations For versions 1.6.2 and earlier, update to a version that includes the necessary capability and CSRF checks for saving settings, and ensure proper sanitization and validation of the cookie banner setting to prevent Stored Cross-Site Scripting. As a temporary workaround, consider restricting access to the settings page to prevent unauthorized changes until a patch is available. Avoid using the vulnerable cookie banner setting in the affected API endpoints until the issue is resolved.