CVE-2018-10310
Description
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<2.3.10+ 1 more
- (no CPE)range: <2.3.10
- (no CPE)range: <2.3.10
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization of WordPress page titles in the plugin's admin interface allows stored XSS."
Attack vector
An attacker must first have authenticated access to the WordPress control panel. The attacker creates or edits a WordPress page and inserts malicious HTML/JavaScript into the page title. When the attacker (or another admin) navigates to Settings > Cookie Consent and clicks the "Content" tab, the unsanitized page title is rendered, causing the injected script to execute in the context of the victim's browser session [ref_id=1].
Affected code
The vulnerability resides in the UK Cookie Consent plugin's administrative interface, specifically in the "Content" tab under Settings > Cookie Consent. The plugin fails to sanitize page titles before rendering them in the admin panel, allowing stored script execution.
What the fix does
The advisory does not include a patch diff, but the vulnerability was addressed in version 2.3.10 of the plugin. The fix likely involves proper output encoding or sanitization of page titles before they are displayed in the Cookie Consent settings page, preventing the browser from interpreting injected HTML/script as executable code.
Preconditions
- authAttacker must have authenticated access to the WordPress admin panel (e.g., an Author-level or higher account)
- configThe UK Cookie Consent plugin version 2.3.9 or earlier must be installed and active
Reproduction
1. Log into the WordPress control panel. 2. Navigate to Pages and add a new page. 3. Insert malicious script (e.g., `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/44503/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/147333/WordPress-UK-Cookie-Consent-2.3.9-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- gist.github.com/B0UG/9732614abccaf2893c352d14c822d07bmitrex_refsource_MISC
- wordpress.org/plugins/uk-cookie-consent/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.