PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8977 techjewel CVE debrief

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a <style> block rendered on wp_head. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor
techjewel
Product
WP GDPR Cookie Consent
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of the WP GDPR Cookie Consent plugin for WordPress, particularly those with subscriber-level access and above, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the WP GDPR Cookie Consent plugin for WordPress, specifically in the 'ninja_gdpr_ajax_actions' AJAX action. The handleAjaxCalls() function lacks capability and nonce checks, and the gdprConfig values are not properly sanitized. Additionally, the generateCSS() function does not escape output, allowing attackers to inject arbitrary web scripts.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update the WP GDPR Cookie Consent plugin to a version that includes a fix for this vulnerability.
  • Limit access to the 'ninja_gdpr_ajax_actions' AJAX action to prevent unauthorized modifications.
  • Implement additional security measures, such as input validation and output escaping, to prevent similar vulnerabilities.

Evidence notes

The CVE-2026-8977 record and associated references provide evidence of this vulnerability. [See resourceLinkAnnotations for links]

Official resources

CVE-2026-8977 was published on 2026-06-09T05:16:41.087Z and modified on 2026-06-09T13:33:34.393Z.