Security News > 2020 > February > Cookie-nabbing app could have served users side helping of XSS

Cookie-nabbing app could have served users side helping of XSS
2020-02-14 12:29

The GDPR Cookie Consent plugin, created by WebToffee, claims over 700,000 users.

While the GDPR Cookie Consent plugin asks you if you'd mind accepting cookies, it doesn't ask you if you'd like a dollop of XSS with them too.

The flaw, enabled an XSS attack and elevation of privilege in versions 1.82 and earlier, said a blog post by The Ninja Technologies Network, which sells web application firewalls to protect WordPress sites.

The third function creates or updates the post that bugs users to accept the cookie policy when they visit a site.

An attacker could use an altered post to mount an XSS attack on one of these privileged users.


News URL

https://nakedsecurity.sophos.com/2020/02/14/cookie-nabbing-app-could-have-served-users-side-helping-of-xss/