Executive Summary

The vulnerability in CVE-2026-0914 affects the WP DSGVO Tools (GDPR) WordPress plugin, specifically its 'lw_content_block' shortcode. Due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, authenticated users with contributor-level access or higher can inject arbitrary web scripts (Stored Cross-Site Scripting). These malicious scripts execute whenever any user accesses the injected page. The issue arises mainly from how the shortcode processes attributes and content embedding, where the sanitization is inadequate, potentially allowing script injection despite some mitigations like wp_kses with extended tags. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated attackers with contributor-level access or above to inject malicious scripts into pages via the plugin's shortcode. These scripts execute in the context of users visiting those pages, potentially leading to session hijacking, defacement, unauthorized actions, or theft of sensitive information. Since the scripts are stored and executed on page load, it can affect any user viewing the compromised content, increasing the risk of widespread impact within the WordPress site. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability undermines GDPR compliance goals by allowing unauthorized script injection that can bypass user consent mechanisms implemented by the plugin. Since the plugin is designed to manage content embedding based on user consent (cookies), this flaw can lead to unauthorized data processing or exposure, violating GDPR principles of data protection and user consent. The security fix in version 3.1.37 improves sanitization and output escaping to better enforce consent and data protection requirements, helping restore compliance. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the WordPress site is running the WP DSGVO Tools (GDPR) plugin version 3.1.36 or earlier. Specifically, look for the presence of the 'lw_content_block' shortcode in posts or pages that may contain unsanitized or malicious script injections. You can search the WordPress database for usage of the shortcode and inspect content for suspicious scripts. For example, use WP-CLI commands to search posts: `wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep '\[lw_content_block'`. Additionally, scanning HTTP traffic for suspicious script tags or unusual shortcode outputs may help detect exploitation attempts. However, no specific detection commands are provided in the resources.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the WP DSGVO Tools (GDPR) plugin to version 3.1.37 or later, where the vulnerability has been fixed by adding proper sanitization of the shortcode parameters and improved output escaping. If updating is not immediately possible, restrict contributor-level and above users from adding or editing content with the 'lw_content_block' shortcode. Also, review and sanitize existing content that uses this shortcode to remove any malicious scripts. Applying web application firewall (WAF) rules to block suspicious script injections related to this shortcode can also help mitigate risk. [2]

Useful 0 Not Useful 0