CVE-2026-8977

Name of the Vulnerable Software and Affected Versions WP GDPR Cookie Consent versions prior to 1.0.1

Description The plugin is subject to Stored Cross-Site Scripting. Authenticated attackers with subscriber-level access or higher can inject arbitrary web scripts into pages. This occurs because the handleAjaxCalls() function lacks capability and nonce checks for the 'ninja gdpr ajax actions' AJAX action. Additionally, there is insufficient input sanitization for gdprConfig values and a lack of output escaping in the generateCSS() function, which echoes stored configuration values directly into a style block rendered on the page head.

Recommendations Update to a version later than 1.0.0. As a temporary mitigation, restrict access to the 'ninja gdpr ajax actions' AJAX action or disable the handleAjaxCalls() function.