Skip to content
public
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
advisories/2019/SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law/
advisories/2019/SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law/

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

WordPress Plugin - EU Cookie Law (GDPR) - Stored XSS

Vulnerability Overview

The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users.

  • Identifier : SBA-ADV-20190913-01
  • Type of Vulnerability : Cross-site Scripting
  • Software/Product Name : EU Cookie Law (GDPR)
  • Vendor : Alex Moss, Marco Milesi
  • Affected Versions : <= 3.0.6 and possibly upwards
  • Fixed in Version : -
  • CVE ID : CVE-2019-16522
  • CVSSv3 Vector : AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
  • CVSSv3 Base Score : 3.5 (Low)

Vendor Description

EU Cookie Law is a light, elegant and powerful solution to comply european cookie law and GDPR, with popup and options to lock scripts before acceptance.

Various customizations included to perfectly fit your website and keep cookies under control (before and after the consent).

Simply install the plugin and follow the instructions on the Settings page.

Active Installations: 100,000+

Source: https://wordpress.org/plugins/eu-cookie-law/

Impact

By exploiting the documented vulnerability, an authenticated attacker with high privileges (admin) can execute JavaScript code in a victim's browser. This can be misused, e.g for phishing attacks by displaying a fake login form and sending the victim's credentials to the attacker. Furthermore malicious actions can be performed in the context of an authenticated user. The impact depends on the level of access of the attacked user.

Vulnerability Description

In the configuration area /wp-admin/options-general.php?page=peadig_eucookie an admin can set several options for the plugin. Most of them are correctly escaped before inserted in the HTML page. However three values of settings can be exploited to insert arbitrary JavaScript and HTML. Those are:

  • Font Color
  • Background Color
  • "Disable Cookie" Text

The value of "Fontcolor" will be inserted on every page where the cookie consent message is shown. The other two are by default only exploitable in the admin area.

Proof of Concept

This example shows how an attacker can exploit this vulnerability through the value of "Font Color": By setting the value #FFFFFF"><script>alert(1)</script>, an attacker can break out of the HTML attribute and insert a script tag containing JavaScript. In this example a simple alert-popup-box will be shown.

So when the attacker sends the following HTTP-Request:

POST /wp-admin/options.php HTTP/1.1
[...]

[...]peadig_eucookie%5Bfontcolor%5D=%23FFFFFF%22%3E%3Cscript%3Ealert%281%29%3C/script%3E[...]

In the admin area, the resulting HTML page looks like the following (shortened for readability):

[...]
<input id="fontcolor" type="text" name="peadig_eucookie[fontcolor]" value="#FFFFFF">
    <script>alert(1)</script>
    " class="color-field" data-default-color="#ffffff"/>
[...]

On the page with the cookie message the payload will be inserted multiple times. The resulting HTML looks like the following (shortened for readability):

[...]
<!-- Eu cookie Law 3.0.6 -->
<div class="pea_cook_wrapper pea_cook_bottomcenter" style="color:#FFFFFF">
    <script>alert(1)</script>
    ;background:rgb(0,0,0);background: rgba(0,0,0,0.85);">
[...]

Recommended Countermeasures

We recommend to escape the values using the esc_attr-function provided by WordPress.

Timeline

  • 2019-09-04 Identified the vulnerability
  • 2019-09-06 Contacted the authors
  • 2019-09-06 Response by authors about disclosure contact
  • 2019-09-09 Disclosed vulnerability to the authors
  • 2019-09-20 CVE assigned
  • 2019-09-20 Asked authors again for fix
  • 2019-10-16 Public disclosure, because authors did not respond

References

Credits