WordPress Plugin Cookie Law Bar Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress plugin Cookie Law Bar, version 1.2.1. This vulnerability allows authenticated attackers to inject malicious scripts by submitting unsanitized input into the Bar Message field. The injected scripts execute in the browsers of all WordPress users viewing the site, potentially leading to cookie theft and exfiltration of sensitive data.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user must navigate to the Cookie Law Bar settings page. Once there, inject a script payload, such as a script tag closing followed by a script tag opening with a JavaScript command (e.g., 'alert(document.cookie)'), into the 'Bar Message' field and save the changes. The injected script will then execute in the browsers of users viewing the site.