CVE-2021-4358: 
WordPress vulnerability analysis and mitigation

The WP DSGVO Tools (GDPR) WordPress plugin, versions up to and including 3.1.23, contains a Stored Cross-Site Scripting vulnerability (CVE-2021-4358). The vulnerability was discovered and disclosed in September 2021, affecting all installations of the plugin prior to version 3.1.24. The issue stems from insufficient input sanitization and output escaping in an unknown parameter (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages due to improper input validation. The CVSS v3.1 base score is rated as 7.2 (High) by Wordfence and 6.1 (Medium) by NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Wordfence).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute whenever a user accesses an affected page. This can lead to potential theft of sensitive information, session hijacking, or redirection of users to malicious websites (NVD).

Users should immediately update to version 3.1.24 or later of the WP DSGVO Tools plugin. As a temporary workaround, it is recommended to deactivate all integrations and verify the authenticity of integration scripts before reactivating them. If compromise is suspected, all integration scripts should be reviewed for unauthorized modifications (Nintechnet).