CVE-2021-24405

EIP tracks 1 public exploit for CVE-2021-24405. PoCs published by 0xB9.

AI-analyzed exploit summary This exploit demonstrates a broken access control vulnerability in WordPress Plugin Easy Cookie Policy 1.6.2, allowing any authenticated user to inject malicious scripts via a POST request to admin-ajax.php. The PoC includes a simple XSS payload to prove the vulnerability.

The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.