CVE-2021-47957 Overview
CVE-2021-47957 is a stored cross-site scripting (XSS) vulnerability in the WordPress Cookie Law Bar plugin version 1.2.1. The flaw exists in the plugin's settings page, where the Bar Message (clb_bar_msg) field fails to sanitize user input before storing it in the database. Authenticated attackers with access to plugin configuration can inject arbitrary JavaScript payloads that execute in the browsers of all site visitors who render the cookie consent bar. The vulnerability is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Successful exploitation enables session cookie theft, credential harvesting, and arbitrary script execution against every visitor of the affected WordPress site.
Affected Products
- WordPress Cookie Law Bar plugin version 1.2.1
- WordPress sites with the vulnerable plugin installed and active
- Any site visitor rendering the injected cookie consent bar
Discovery Timeline
- 2026-05-16 - CVE-2021-47957 published to the National Vulnerability Database
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47957
Vulnerability Analysis
The Cookie Law Bar plugin renders a configurable consent banner on WordPress sites. The plugin's administrative settings page accepts arbitrary HTML and JavaScript through the Bar Message field without applying output encoding or input sanitization. An authenticated user with permission to modify plugin settings can submit a script payload that is persisted to the WordPress database. The payload is then echoed back unescaped into the rendered banner on every page where the cookie bar is displayed.
Because the malicious script executes within the security context of the affected WordPress domain, it can read session cookies, perform actions on behalf of authenticated administrators, and exfiltrate data to attacker-controlled infrastructure. The persistent nature of the injection means every visitor is affected until an administrator removes the payload.
Root Cause
The root cause is missing input sanitization and output encoding on the clb_bar_msg parameter. The plugin trusts administrative input and writes the value directly into HTML context without escaping characters such as <, >, and quotation marks. WordPress provides functions like wp_kses_post() and esc_html() for this purpose, but the plugin does not apply them.
Attack Vector
An attacker requires authenticated access with privileges to edit plugin settings. The attacker navigates to the Cookie Law Bar configuration page, enters a JavaScript payload into the Bar Message field, and saves the settings. The payload is stored in the WordPress options table and rendered to every visitor. User interaction with the affected page is required for payload execution. Public exploit code is available through Exploit-DB #49905 and the VulnCheck Advisory on XSS.
The vulnerability manifests in the unsanitized handling of the Bar Message setting. See the referenced advisories for proof-of-concept details.
Detection Methods for CVE-2021-47957
Indicators of Compromise
- Presence of <script>, onerror=, or onload= strings inside the clb_bar_msg option value in the wp_options table
- Outbound HTTP requests from visitor browsers to unfamiliar domains immediately after rendering the cookie banner
- Unexpected modifications to Cookie Law Bar plugin settings in WordPress audit logs
Detection Strategies
- Query the WordPress database for entries in wp_options where option_name references Cookie Law Bar settings and inspect values for HTML or JavaScript syntax
- Deploy a Web Application Firewall (WAF) rule that flags <script> and event handler patterns submitted to wp-admin/options.php
- Review web server access logs for POST requests to plugin settings endpoints originating from non-administrative users or unusual IP ranges
Monitoring Recommendations
- Enable WordPress audit logging to capture all plugin option changes with user attribution
- Monitor the Content Security Policy (CSP) violation reports for inline script execution attempts on public pages
- Alert on creation of new administrator accounts or privilege changes following suspicious settings modifications
How to Mitigate CVE-2021-47957
Immediate Actions Required
- Deactivate and remove the Cookie Law Bar plugin version 1.2.1 from affected WordPress installations
- Audit the clb_bar_msg option value in the database and remove any injected HTML or script content
- Rotate WordPress administrator credentials and force re-authentication for all privileged accounts
- Review user accounts for unauthorized administrative privileges or recently created users
Patch Information
No vendor patch is referenced in the available advisory data for Cookie Law Bar 1.2.1. Site operators should migrate to a maintained cookie consent plugin such as the actively developed Cookie Law Info Plugin or evaluate alternatives listed in the WordPress Cookie Law Plugin directory.
Workarounds
- Restrict access to the plugin settings page to a minimal set of trusted administrators using role management plugins
- Apply a strict Content Security Policy that disallows inline scripts (script-src 'self') to limit XSS payload execution
- Configure a WAF to block requests containing script tags or JavaScript event handlers targeting wp-admin/options.php
- Replace the vulnerable plugin with a supported alternative that receives ongoing security maintenance
# Content Security Policy header example for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
