Vulnerabilities and security researches forcookie-notice cookie-notice
Direction: ascendingJun 06, 2024
Cookie Notice & Compliance for GDPR / CCPA # CVE-2023-0823
- CVE, Research URL
- Application
- Date
- Mar 27, 2023
- Research Description
- The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.4.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
- Affected versions
-
max 2.4.7.
- Status
-
vulnerable
Cookie Notice & Compliance for GDPR / CCPA # CVE-2021-24569
- CVE, Research URL
- Application
- Date
- Sep 27, 2021
- Research Description
- The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.
- Affected versions
-
max 2.1.4.
- Status
-
vulnerable
Cookie Notice & Compliance for GDPR / CCPA # CVE-2023-24400
- CVE, Research URL
- Application
- Date
- May 07, 2023
- Research Description
- Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Hu-manity.Co Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.4.6 versions.
- Affected versions
-
max 2.4.7.
- Status
-
vulnerable
Aug 16, 2024
Cookie Notice & Compliance for GDPR / CCPA # CVE-2022-3399
- CVE, Research URL
- Application
- Date
- Aug 16, 2024
- Research Description
- The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cookie_notice_options[refuse_code_head]' parameter in versions up to, and including, 2.4.17.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative privileges and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected /wp-admin/admin.php?page=cookie-notice page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Affected versions
-
max 2.4.18.
- Status
-
vulnerable
Dec 10, 2025
Cookie Notice & Compliance for GDPR / CCPA # CVE-2025-11186
- CVE, Research URL
- Application
- Date
- Nov 22, 2025
- Research Description
- The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cookies_accepted shortcode in all versions up to, and including, 2.5.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.5.9.
- Status
-
vulnerable
Feb 27, 2026
Cookie Notice & Compliance for GDPR / CCPA # PSC-2026-64624
- PSC, Research URL
- Application
- Date
- Feb 27, 2026
- Research Description
- Cookie notice plugins look “simple”, but they are security-relevant because they influence front-end script execution, store site-wide consent settings, and often expose customization fields that end up rendered for every visitor. If access control, request integrity, or output handling is weak, attackers can aim for stored/reflected XSS in banner content, CSRF-driven settings changes (silently altering consent behavior), or information exposure through misprotected endpoints and diagnostics. Cookie Notice & Compliance for GDPR / CCPA version 2.5.13 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64624, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for cookie notice and consent-management plugins.
- Affected versions
-
Min 2.5.13, max 2.5.13.
- Status
-
SAFE & CERTIFIED