WordPress Logo

“Beautiful Cookie Consent Banner” WordPress plugin vulnerability: Update now!

WordPress plugins are under fire once more, and you’re advised to update your version of Beautiful Cookie Consent Banner as soon as possible. The plugin, which is installed on more than 40,000 sites, has been impacted by a “bizarre campaign”  being actively used since at least February 5 of this year.

The plugin is designed to present users with a cookie banner “without loading any external resources from third parties”. Sadly the cookie has crumbled with a flaw leaving sites open to the possibility of rogue JavaScript abuse.

The flaw was actually patched way back in January, but considering how long some folks can leave updates it’s going to take a while to have this one settle down. The best example of this update-related security drag is the fact that despite the plugin update, attacks are still in full flow. Researchers have observed:

3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023.

The plugin exploit is a cross-site scripting attack (XSS), a type of attack that injects malicious code into otherwise benign websites. Most XSS attacks require users to click on doctored links, and only work if they do, because the malicious code isn’t retained by the site being attacked. The vulnerability in the Beautiful Cookie Consent banner allows for the more dangerous stored XSS, in which an attacker causes the site to remember the malicious code and regurgitate it to all of its users.

The potential for mischief and mayhem with this kind of compromise is large. Perhaps someone could use scripts to redirect visitors to malware, or phishing pages, or even create malicious admin users. Maybe the rogue admin could add a phishing login page to the website itself, without the real admins knowing about it.

What’s interesting with this one, and perhaps why it’s being tagged as “bizarre”, is that the attack is misconfigured with attacks containing a “partial payload”. In essence, bits of JavaScript code are missing. As the researchers put it, the misconfigured exploit…

…expects a customised payload, and the attacker has simply failed to provide one.

Even so, they note that even in its misconfigured state it still has the potential to corrupt the configuration of the plugin so it will no longer work as expected. There is also the possibility of the individual(s) responsible adding in a functional payload at a later date.

The latest version of the plugin is 2.10.2. Anything below this is at risk of attack. If your site has been impacted by this vulnerability, once you upgrade patched versions will repair alterations made by said attack. If you think you might be at risk, or you’re unsure which version you’re running, now is the time to pop over to the plugin’s WordPress page and see if an update is required.

Attacks are ongoing, and will likely continue. Numbers have ramped up dramatically over the past month, so it would be best to lock your site plugins down now. In fact, it would probably be a good idea to check the update status of all of your site plugins. Why wait until you see the name of something you use appearing in a news article next month when you can get one step ahead of the game right now?

Keeping WordPress safe

The following preventative maintenance could save you a lot of trouble:

  • Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
  • Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
  • Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
  • Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.