CVE-2024-11724: Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) <= 3.6.5 - Missing Authorization to...

4.3 CVSS

Description

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.

Classification

CVE ID: CVE-2024-11724

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: wplegalpages

Product: Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.21% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a1de53-330f-49ab-a8f8-22753c62bd36?source=cve
https://plugins.trac.wordpress.org/changeset/3203552/gdpr-cookie-consent/tags/3.6.6/public/modules/script-blocker/class-wpl-cookie-consent-script-blocker.php

Timeline

2024-12-13 00:30:30 UTC
CVE

Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) <= 3.6.5 - Missing Authorization to...