CVE-2024-8397: 
WordPress vulnerability analysis and mitigation

The webtoffee-gdpr-cookie-consent WordPress plugin before version 2.6.1 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and reported by Zitec/Teodora Jilaveanu, and was assigned CVE-2024-8397. The vulnerability affects the plugin's functionality related to IP header logging and consent reporting (WPScan).

The vulnerability stems from improper sanitization and escaping of IP headers when logging them in the plugin's system. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-Site Scripting) (CISA-ADP).

When exploited, this vulnerability allows unauthenticated visitors to conduct Stored Cross-Site Scripting attacks. The malicious script gets executed in the admin context when an administrator visits the 'Consent report' page, potentially leading to unauthorized actions and data exposure (WPScan).

The vulnerability has been patched in version 2.6.1 of the webtoffee-gdpr-cookie-consent plugin. Users are advised to update to this version or later to protect against potential attacks (WPScan).