Heads up, WordPress admins! It’s time to update your websites with the latest Beautiful Cookie Consent Banner plugin version, as the developers addressed a serious cross-site scripting (XSS) flaw.
Serious Security Flaw Patched In Beautiful Cookie Consent Banner Plugin
Researchers from team Wordfence have found a severe cross-site scripting vulnerability in the cookie management WordPress plugin. According to their post, exploiting the plugin could allow an adversary to create malicious redirects from target websites and add rogue admin accounts.
Specifically, the XSS flaw affected the nsc_bar_content_href parameter of the Beautiful Cookie Consent Banner versions 2.10.1 and earlier. The vulnerability existed due to insufficient input sanitization and output escaping, allowing malicious script injections on target web pages.
Consequently, the scripts would redirect visitors to malicious web pages, simultaneously harming the visitors’ security and the site’s credibility.
Patch Released For The Vulnerability Under Attack
According to Wordfence, this vulnerability, unfortunately, caught the adversaries’ attention before receiving a fix. The researchers noticed the malicious campaign exploiting the flaw when the Wordfence firewall blocked around 3 million attacks against 1.5 million sites since May 2023. The attack pattern suggests the presence of a single threat actor running the campaign. However, the researchers could not identify the exact attacker behind it.
Nonetheless, after detecting the issue, the researchers reported the matter to the plugin developers, who then released the full patch with plugin version 2.10.2. Wordfence assigned this zero-day vulnerability a high-severity rating with a CVSS score 7.2.
The plugin’s official WordPress page boasts over 40,000 active installations, hinting at how the vulnerable plugin versions risk thousands of websites globally. Thus, it is critical for WordPress admins to ensure updating their sites with the latest plugin releases to avoid suffering malicious attacks.
The plugin’s changelog shows the current plugin version as 2.13.0. So ideally, site admins should update their websites with this release to receive all bug fixes from the developers.
Let us know your thoughts in the comments.