CVE-2022-3399

Summary

CVE-2022-3399 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Cookie Notice & Compliance plugin for WordPress. This issue, present in versions up to 2.4.17.1, allows authenticated attackers with administrative privileges to inject malicious scripts into the 'cookie_notice_options[refuse_code_head]' parameter. When a user accesses the /wp-admin/admin.php?page=cookie-notice page, these scripts will execute. This vulnerability poses a threat primarily to multi-site installations and those where unfiltered_html has been disabled. The root cause is insufficient input sanitization and output escaping, enabling attackers to manipulate content and potentially steal sensitive data or install malware.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.