Unrated severityNVD Advisory· Published May 15, 2025· Updated May 17, 2025

GDPR Cookie Consent <= 2.6.0 - Unauthenticated Stored XSS

CVE-2024-8397

Description

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Webtoffee GDPR Cookie Consentcpe-rescue2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)
Webtoffee/Webtoffee GDPR Cookie Consentllm-create
Range: <2.6.1

Patches

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

wpscan.com/vulnerability/847fbf5d-f7cf-49fd-88bc-d7fa2a8110bd/mitreexploitvdb-entrytechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000