CVE-2026-8977
Description
The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a block rendered on wp_head. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected products
2<=1.0.0+ 1 more
- (no CPE)range: <=1.0.0
- (no CPE)range: <=1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied configuration values before outputting them into a style block, and lacks sufficient authorization checks on an AJAX endpoint."
Attack vector
An authenticated attacker with subscriber-level privileges can exploit this vulnerability by sending a crafted AJAX request to the 'ninja_gdpr_ajax_actions' endpoint. This request should include malicious JavaScript within the `gdprConfig` values, specifically targeting the `styleObj` parameters. Because the `handleAjaxCalls()` function lacks proper capability and nonce checks, and the `generateCSS()` function does not escape the stored configuration values, the injected script is rendered directly into a `<style>` block on the `wp_head` of pages. This allows for stored XSS, executing when any user views the affected page [ref_id=1].
Affected code
The vulnerability resides in the `handleAjaxCalls()` function, which processes AJAX requests, and the `generateCSS()` function, which outputs the styling. Specifically, the `updateGdprOption()` function, called via AJAX, handles the saving of `gdprConfig` values without sufficient validation. The `addGDPRNotice()` function then calls `generateCSS()` to render these potentially malicious values into the page's `<style>` block [ref_id=1].
What the fix does
The patch addresses the vulnerability by implementing proper capability checks and nonce verification within the `handleAjaxCalls` function, ensuring only authorized users can modify settings. Additionally, input sanitization is applied to the `gdprConfig` values before they are saved, and output escaping is added in the `generateCSS` function to prevent the rendering of malicious scripts. These changes prevent attackers from injecting and executing arbitrary JavaScript through the plugin's configuration settings.
Preconditions
- authAttacker must have at least subscriber-level privileges.
- inputCrafted AJAX request with malicious JavaScript in `gdprConfig` values.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/wp-gdpr-cookie-consent/trunk/Classes/GdprHandler.phpnvd
- plugins.trac.wordpress.org/browser/wp-gdpr-cookie-consent/trunk/Classes/GdprHandler.phpnvd
- plugins.trac.wordpress.org/browser/wp-gdpr-cookie-consent/trunk/Classes/GdprHandler.phpnvd
- plugins.trac.wordpress.org/browser/wp-gdpr-cookie-consent/trunk/wp-gdpr-cookie-consent.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/95c7f999-3676-4b91-9ee0-f55a27bcd93cnvd
News mentions
0No linked articles in our index yet.