what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Beautiful Cookie Consent Banner 2.10.1 Cross Site Scripting

WordPress Beautiful Cookie Consent Banner 2.10.1 Cross Site Scripting
Posted May 25, 2023
Site wordfence.com

WordPress Beautiful Cookie Consent Banner versions 2.10.1 and below suffer from an unauthenticated persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 8858c77125409fd0fe39f8b285596c6f700c81b1e8838d3dc6e332a0dfaf4d61

WordPress Beautiful Cookie Consent Banner 2.10.1 Cross Site Scripting

Change Mirror Download
Description: Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting 

Affected Plugin:Beautiful Cookie Consent Banner

Plugin Slug: beautiful-and-responsive-cookie-consent

Affected Versions: <= 2.10.1

CVE ID: Not Assigned

CVSS Score: 7.2 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Unknown

Fully Patched Version: 2.10.2

The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.

The Attacks

According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.

Cookie consent attacks chart

Pictured: A chart showing sites attacked and total attacks targeting this vulnerability

We believe that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.

Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.

Indicators of Compromise

Requests

example request

An example request showing the payload being used

POST requests to /wp-admin/admin-post.php from unrecognized IP addresses may appear in your server logs, or in your Live Traffic if you have the Wordfence plugin installed.

IP Addresses

We have included the top 20 attacking IP addresses, though there are many more:

- 209.126.12.142
- 101.34.223.139
- 92.204.37.157
- 66.37.4.138
- 92.205.48.232
- 212.237.233.32
- 195.201.82.166
- 67.205.58.212
- 51.38.27.102
- 173.236.213.148
- 207.244.241.230
- 74.208.177.185
- 92.204.33.117
- 134.119.0.186
- 5.9.238.21
- 92.205.64.149
- 94.158.149.174
- 173.236.215.161
- 92.205.48.177
- 190.54.62.76

If your site was impacted by this or an earlier attack campaign, it may have corrupted the ​​nsc_bar_bannersettings_json option in your database. The plugin's developers have included functionality in patched versions to repair any changes made as a result of this exploit.

Conclusion

In today’s article, we covered an uptick in attacks targeting a patched vulnerability in Beautiful Cookie Consent Banner.

All Wordfence sites, including those running Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection.

However, if you have friends or colleagues running this plugin, please forward this advisory to them - while the current wave of attacks does not contain a malicious payload, the attacker behind this is targeting a large list of sites and has significant resources available to them, and it would be simple for them to update their exploit configuration with a viable malicious payload.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close