CVE-2024-8397 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting versions of the WordPress plugin webtoffee-gdpr-cookie-consent prior to 2.6.1. The vulnerability arises because the plugin fails to properly sanitize and escape IP address headers when logging them. An attacker can exploit this by injecting malicious JavaScript payloads into the IP headers, which are then stored by the plugin. The stored payload is executed when an administrator visits the 'Consent report' page within the WordPress admin dashboard, causing the malicious script to run in the context of an authenticated admin user. This can lead to unauthorized actions such as session hijacking, privilege escalation, or data exfiltration. The CVSS 3.1 base score is 5.4, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction needed (admin must visit the page). The vulnerability impacts confidentiality and integrity but does not affect availability. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability was assigned by WPScan and published in May 2025.

For European organizations using the webtoffee-gdpr-cookie-consent plugin on their WordPress sites, this vulnerability poses a significant risk to administrative accounts and sensitive data. Since the plugin is GDPR-related, it is likely deployed on sites handling personal data, increasing the potential impact of data breaches. Exploitation could allow attackers to execute arbitrary scripts in the admin context, potentially leading to theft of admin credentials, unauthorized modification of cookie consent records, or further compromise of the website and connected systems. This could result in violations of GDPR compliance, reputational damage, and legal penalties. The impact is particularly critical for organizations with public-facing WordPress sites that rely on this plugin for cookie consent management, as attackers can remotely exploit the vulnerability without authentication but require an admin to view the malicious payload. The medium CVSS score reflects the moderate ease of exploitation combined with the requirement for admin interaction.

European organizations should immediately verify if their WordPress installations use the webtoffee-gdpr-cookie-consent plugin and identify the version in use. If the version is prior to 2.6.1, they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, organizations should implement the following mitigations: 1) Restrict access to the WordPress admin dashboard to trusted IP addresses using firewall rules or VPNs to reduce the risk of an admin encountering malicious payloads. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious IP header values containing script tags or unusual characters. 3) Educate administrators to avoid visiting the 'Consent report' page unless necessary and to verify the integrity of logs and reports. 4) Regularly audit and sanitize logs that include IP headers to remove any injected scripts. 5) Monitor WordPress plugin updates and subscribe to security advisories from the plugin vendor and WPScan for timely patching. 6) Implement Content Security Policy (CSP) headers to limit the impact of any injected scripts that might execute.