Cookie-nabbing app could have served users side helping of XSS – Naked Security

A popular GDPR compliance WordPress plugin vendor has patched a flaw that rendered both site visitors and admins vulnerable to cookie-stealing cross-site scripting (XSS) attacks.

The GDPR Cookie Consent plugin, created by WebToffee, claims over 700,000 users. The plug-in is a notification app that begs you to accept cookies when you first visit a WordPress site. Website owners use tools like this to stay compliant with GDPR, which points to cookies as a form of online identifier and therefore subject to its consent rules.

While the GDPR Cookie Consent plugin asks you if you’d mind accepting cookies, it doesn’t ask you if you’d like a dollop of XSS with them too. Until this week, that’s what visitors to pages containing the plugin might have been vulnerable to.

The flaw, enabled an XSS attack and elevation of privilege in versions 1.82 and earlier, said a blog post by The Ninja Technologies Network, which sells web application firewalls to protect WordPress sites.

According to Wordfence, the cause of the vulnerability was an AJAX endpoint used in the administration section of the plugin (AJAX uses JavaScript and XML to deliver web page functionality). This exposes three functions to blog subscribers that should only have been available to admins: get_policy_pageid, autosave_contant_data(“contant” is a typo in the code itself), and save_contentdata. The first just returns a post ID for the plugin’s cookie policy page and isn’t really significant, Wordfence said.

The second defines the standard content for that page and is more worrisome. Because the HTML is unfiltered, an attacker could alter it to contain JavaScript code. That means they could use it to deliver an XSS payload to any user that viewed it on its /cli-policy-preview/ page.