CVE-2024-11724: 
WordPress vulnerability analysis and mitigation

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) WordPress plugin contains a vulnerability identified as CVE-2024-11724. The vulnerability affects all versions up to and including 3.6.5, and was disclosed on December 12, 2024. This security issue stems from a missing capability check on the wplscriptsave AJAX action (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, no user interaction, unchanged scope, no impact on confidentiality, low impact on integrity, and no impact on availability (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to whitelist scripts through unauthorized modification of data. This capability could potentially compromise the security settings of the cookie consent functionality (NVD).

A fix has been released in version 3.6.6 of the plugin. Users are advised to update to this latest version to mitigate the vulnerability (WordPress Plugin).