CVE-2024-11724 – This vulnerability allows authenticated WordPre... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to whitelist scripts without proper authorization. Attackers can bypass intended restrictions in the Cookie Consent plugin, potentially allowing malicious scripts to execute. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) WordPress plugin

Versions: All versions up to and including 3.6.5

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access (Subscriber role or higher)

📦 What is this software?

Wp Cookie Consent by Wpeka

View all CVEs affecting Wp Cookie Consent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could whitelist malicious JavaScript that steals user credentials, session cookies, or performs other malicious actions on the site.

🟠

Likely Case

Attackers bypass script blocking controls to execute tracking scripts, ads, or other unwanted content that should be blocked by the plugin.

🟢

If Mitigated

With proper user role management and monitoring, impact is limited to script whitelisting only, not direct code execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3203552/gdpr-cookie-consent/tags/3.6.6/public/modules/script-blocker/class-wpl-cookie-consent-script-blocker.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Cookie Consent for WP' plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 3.6.6 from WordPress repository and manually update

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the wpl_script_save AJAX action

Add to theme's functions.php or custom plugin:
add_action('init', function() {
    remove_action('wp_ajax_wpl_script_save', 'wpl_script_save_callback');
    remove_action('wp_ajax_nopriv_wpl_script_save', 'wpl_script_save_callback');
});

Restrict user capabilities

all

Temporarily restrict Subscriber role capabilities until patch is applied

Use WordPress role management plugin or add to functions.php:
add_action('init', function() {
    $subscriber = get_role('subscriber');
    if ($subscriber) {
        $subscriber->remove_cap('read');
    }
});

🧯 If You Can't Patch

Disable the Cookie Consent plugin entirely until patched
Implement strict user role management and monitor for suspicious AJAX requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Cookie Consent for WP' version 3.6.5 or lower

Check Version:

wp plugin list --name='Cookie Consent for WP' --field=version

Verify Fix Applied:

Verify plugin version shows 3.6.6 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests to admin-ajax.php with action=wpl_script_save from non-admin users
Multiple script whitelisting attempts from single user

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=wpl_script_save parameter

SIEM Query:

source="wordpress" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND query_string="action=wpl_script_save"

📊 Metadata

CVE ID: CVE-2024-11724

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: December 12, 2024

Last Updated: July 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11724, you might also want to check these: