Description
The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a <style> block rendered on wp_head. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to a stored cross‑site scripting flaw that is triggered by the 'ninja_gdpr_ajax_actions' AJAX endpoint. The lack of capability and nonce checks on the handleAjaxCalls() method, along with unescaped gdprConfig values that are injected into a <style> block via generateCSS(), allows an attacker who is logged in with subscriber or higher privileges to store malicious JavaScript that will execute whenever any visitor loads a page on the site. This flaw is identified as CWE‑79 and can lead to theft of user session cookies, defacement, or further compromise of the WordPress site.

Affected Systems

The vulnerability affects the WP GDPR Cookie Consent plugin developed by techjewel, offering WordPress GDPR cookie consent functionality. All releases up to and including version 1.0.0 are impacted. No later releases are listed in the known affected range, implying that the issue is fixed in 1.0.1 or newer, though vendors should confirm.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity risk, and the EPSS score is unavailable, so there is no quantifiable estimate of current attack frequency. The flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Attackers must be authenticated with at least subscriber-level access and must provoke the vulnerable AJAX call. Once a payload is stored, it will be delivered implicitly to all users who visit the affected pages, making the engagement highly visible to site visitors but limited to sites where the vulnerable plugin is installed.

Generated by OpenCVE AI on June 9, 2026 at 05:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP GDPR Cookie Consent plugin to any version newer than 1.0.0 to eliminate the stored XSS flaw.
  • If an upgrade cannot be performed immediately, disable or remove the 'ninja_gdpr_ajax_actions' AJAX handler until a patch becomes available.
  • Implement proper input validation and output escaping for gdprConfig values, ensuring that any stored configuration is sanitized before being rendered inside <style> tags on wp_head.

Generated by OpenCVE AI on June 9, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Shahjahan Jewel
Shahjahan Jewel wp Gdpr Cookie Consent
Wordpress
Wordpress wordpress
Vendors & Products Shahjahan Jewel
Shahjahan Jewel wp Gdpr Cookie Consent
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a <style> block rendered on wp_head. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP GDPR Cookie Consent <= 1.0.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'ninja_gdpr_ajax_actions' AJAX Action
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Shahjahan Jewel Wp Gdpr Cookie Consent
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T13:26:32.899Z

Reserved: 2026-05-19T13:04:46.100Z

Link: CVE-2026-8977

cve-icon Vulnrichment

Updated: 2026-06-09T13:26:29.155Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:41.087

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:00:14Z

Weaknesses