CVE-2026-0914
Stored XSS in WP DSGVO Tools Plugin via lw_content_block Shortcode
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shapepress | wp_dsgvo_tools | to 3.1.36 (inc) |
| shapepress | wp_dsgvo_tools | 3.1.37 |
| shapepress | shapepress_dsgvo | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-0914 affects the WP DSGVO Tools (GDPR) WordPress plugin, specifically its 'lw_content_block' shortcode. Due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, authenticated users with contributor-level access or higher can inject arbitrary web scripts (Stored Cross-Site Scripting). These malicious scripts execute whenever any user accesses the injected page. The issue arises mainly from how the shortcode processes attributes and content embedding, where the sanitization is inadequate, potentially allowing script injection despite some mitigations like wp_kses with extended tags. [1]
How can this vulnerability impact me? :
This vulnerability allows authenticated attackers with contributor-level access or above to inject malicious scripts into pages via the plugin's shortcode. These scripts execute in the context of users visiting those pages, potentially leading to session hijacking, defacement, unauthorized actions, or theft of sensitive information. Since the scripts are stored and executed on page load, it can affect any user viewing the compromised content, increasing the risk of widespread impact within the WordPress site. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability undermines GDPR compliance goals by allowing unauthorized script injection that can bypass user consent mechanisms implemented by the plugin. Since the plugin is designed to manage content embedding based on user consent (cookies), this flaw can lead to unauthorized data processing or exposure, violating GDPR principles of data protection and user consent. The security fix in version 3.1.37 improves sanitization and output escaping to better enforce consent and data protection requirements, helping restore compliance. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the WP DSGVO Tools (GDPR) plugin version 3.1.36 or earlier. Specifically, look for the presence of the 'lw_content_block' shortcode in posts or pages that may contain unsanitized or malicious script injections. You can search the WordPress database for usage of the shortcode and inspect content for suspicious scripts. For example, use WP-CLI commands to search posts: `wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep '\[lw_content_block'`. Additionally, scanning HTTP traffic for suspicious script tags or unusual shortcode outputs may help detect exploitation attempts. However, no specific detection commands are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WP DSGVO Tools (GDPR) plugin to version 3.1.37 or later, where the vulnerability has been fixed by adding proper sanitization of the shortcode parameters and improved output escaping. If updating is not immediately possible, restrict contributor-level and above users from adding or editing content with the 'lw_content_block' shortcode. Also, review and sanitize existing content that uses this shortcode to remove any malicious scripts. Applying web application firewall (WAF) rules to block suspicious script injections related to this shortcode can also help mitigate risk. [2]