CVE-2021-47957

Vulnerability

The Cookie Law Bar plugin for WordPress version 1.2.1 (and possibly earlier) contains a stored cross-site scripting vulnerability in the "Bar Message" field on the plugin settings page. The plugin fails to sanitize user input before saving it, allowing injection of arbitrary HTML/JavaScript. [2][3][4]

Exploitation

An attacker must be authenticated as a WordPress user with access to the plugin settings page (typically administrators). The attacker navigates to the settings page (e.g., /wp-admin/options-general.php?page=clb) and submits a malicious payload such as `` into the Bar Message field. Upon saving, the payload is stored and executed in the browsers of all visitors to any WordPress page that displays the cookie bar. [4]

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of any user viewing the site. This enables cookie theft, session hijacking, defacement, or redirection to malicious sites. The attack affects all site visitors, including administrators, and can lead to full compromise of WordPress admin sessions. [3][4]

Mitigation

As of the available references, no official patch has been released. The plugin appears to be unmaintained (last update 1.2.1). Users should disable and remove the plugin immediately. No workaround is available. The vulnerability is listed in the Exploit Database (EDB-ID 49905). [2][4]