MEDIUM 6.4

CVE-2026-8977: Stored XSS in WP GDPR Cookie Consent Plugin (v1.0.0)

The WP GDPR Cookie Consent plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with subscriber-level permissions or higher to inject malicious JavaScript code into website pages. When other users visit an affected page, the injected script executes in their browsers, potentially allowing attackers to steal session tokens, redirect visitors, inject malware, or perform other actions on behalf of legitimate users. The vulnerability exists because the plugin fails to properly validate user input and safely display stored configuration settings.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a <style> block rendered on wp_head. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8977 is a stored XSS flaw in the WP GDPR Cookie Consent plugin (versions up to 1.0.0) affecting the 'ninja_gdpr_ajax_actions' AJAX handler. The handleAjaxCalls() function lacks capability and nonce verification, allowing authenticated attackers to submit unsanitized gdprConfig values. The generateCSS() function subsequently echoes these values directly into a <style> block during wp_head execution without output escaping, enabling arbitrary JavaScript injection. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Business impact

This vulnerability creates a persistent attack surface on WordPress sites using the plugin. A disgruntled employee, compromised account, or insider with subscriber access can silently inject malicious code that affects all site visitors, potentially leading to credential theft, malware distribution, SEO poisoning, or brand reputation damage. For sites handling GDPR consent flows, the breach of trust is particularly damaging, as attackers could exfiltrate user consent preferences or inject unauthorized tracking scripts.

Affected systems

The WP GDPR Cookie Consent plugin is affected in all versions up to and including 1.0.0. Any WordPress installation running this plugin with that version number is vulnerable. The attack requires an authenticated account with at least subscriber-level access, meaning vulnerability is present even if public user registration is disabled, as long as any authenticated user account exists.

Exploitability

Exploitability is moderate. An attacker must first obtain or maintain authenticated access (subscriber role or above), which is typically lower-privileged but still requires valid credentials. Once authenticated, no additional privileges are needed, and exploitation is straightforward—no user interaction beyond accessing the affected page is required to trigger payload execution. The attack is repeatable and affects all subsequent visitors, making it particularly dangerous for high-traffic sites.

Remediation

Update the WP GDPR Cookie Consent plugin to a patched version released after 1.0.0. Verify the specific patch version through the official WordPress plugin repository or the vendor's security advisory. As an interim measure, restrict subscriber-level account creation, audit existing subscriber accounts for legitimacy, and monitor AJAX activity targeting 'ninja_gdpr_ajax_actions' for suspicious configuration submissions. Consider disabling the plugin until a patch is confirmed available.

Patch guidance

Administrators should update the WP GDPR Cookie Consent plugin as soon as a patched version is released by the vendor. Visit the WordPress plugin directory or the vendor's official website to confirm the latest secure version. Test the update in a staging environment before production deployment to ensure compatibility with other active plugins and the site's custom configurations. Verify that the generateCSS() function properly escapes output and that AJAX handlers validate nonces and user capabilities post-update.

Detection guidance

Monitor for POST requests to wp-admin/admin-ajax.php with 'action=ninja_gdpr_ajax_actions' originating from authenticated sessions, particularly subscriber accounts. Log and alert on gdprConfig parameter submissions containing HTML special characters (<, >, ", ', {, }) or script-like patterns. Review stored plugin options and theme CSS blocks for unexpected JavaScript or event handlers. Use WordPress security plugins that track AJAX modifications or inspect wp_head hook execution for unauthorized style injections.

Why prioritize this

While CVSS 6.4 (Medium) reflects the requirement for prior authentication, the stored nature of the XSS, combined with persistence across all site visitors and the typical trust model of WordPress subscriber accounts, elevates practical risk. Organizations should prioritize patching to prevent long-term site compromise and protect visitor integrity.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects the attack requiring authentication (PR:L), no user interaction on the attacker's part (UI:N), and a network-based attack vector (AV:N). The Medium severity accounts for low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N). However, the score does not fully capture the persistent, site-wide nature of stored XSS or the downstream impact on uninvolved users, which may warrant treating this as higher priority in your environment.

Frequently asked questions

Can unauthenticated users exploit this vulnerability?

No. The vulnerability requires an authenticated WordPress account with at least subscriber-level access. However, if your site allows user registration or has any active user accounts beyond administrators, the attack surface exists.

What versions of WordPress are affected?

The vulnerability is in the WP GDPR Cookie Consent plugin itself, not in WordPress core. Any WordPress version running the vulnerable plugin (up to 1.0.0) on any compatible WordPress version is at risk.

Can I safely disable the plugin instead of updating immediately?

Yes. Disabling the plugin removes the vulnerable code path. If you choose to disable rather than immediately update, ensure you have a plan to re-enable or replace it with a patched version before removing it permanently, as it may be relied upon for GDPR consent functionality.

How do I know if my site has been attacked?

Check your WordPress options table or plugin settings for unexpected values in GDPR cookie configuration fields, review site CSS for injected script tags, and examine admin-ajax.php access logs for suspicious 'ninja_gdpr_ajax_actions' submissions from subscriber accounts. Consider running a malware scanner and reviewing browser console logs on the site front-end.

This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. Verify all patch versions, affected products, and vendor advisories against official sources before implementing remediations. Security impact and exploitability may vary based on your specific WordPress configuration, installed plugins, theme, and user management practices. No exploit code or weaponized proof-of-concept is provided. Consult with your security team and vendor documentation for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).