Description
The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-24
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows an authenticated administrator to inject scripts which run when any site visitor accesses affected pages
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Cookie consent for developers WordPress plugin allows stored cross‑site scripting via several configuration fields. The plugin fails to sanitize input or escape output, causing any user‑submitted value entered by an administrator to be saved and later rendered in the site's pages. Once injected, the malicious scripts execute in the browser of any visitor to the affected pages, enabling data theft, session hijacking, or defacement.

Affected Systems

All installations of the plugin with versions up to and including 1.7.1 on WordPress multi‑site setups where the unfiltered_html capability has been disabled. The flaw is specific to these environments and does not affect single‑site installs or installations where unfiltered_html is enabled.

Risk and Exploitability

The CVSS base score of 4.4 indicates a moderate severity, and the EPSS score of less than 1% suggests very limited likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attack execution requires an authenticated user with administrative privileges; once the script is stored it will affect all site visitors, raising the potential impact from a single administrative account to all users. Although currently low probability, the presence of stored XSS remains a significant risk to site integrity and user privacy.

Generated by OpenCVE AI on April 15, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cookie consent for developers plugin to version 1.7.2 or later.
  • If an update cannot be applied immediately, disable the plugin or delete any settings entries that allow script injection.
  • Verify that the unfiltered_html capability is disabled for the affected installation and remove any residual malicious scripts from the plugin’s settings pages.

Generated by OpenCVE AI on April 15, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Cookie consent for developers <= 1.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Multiple Settings Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:52.375Z

Reserved: 2026-01-16T20:44:38.379Z

Link: CVE-2026-1084

cve-icon Vulnrichment

Updated: 2026-01-26T15:29:27.889Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:08.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses