WP-Safety

tarteaucitron.io Security & Risk Analysis

wordpress.org/plugins/tarteaucitronjs

Compliant and accessible cookie banner.

10K active installs v1.31.0 PHP + WP 2.8+ Updated Mar 4, 2026
cookiegdprrgpdtarteaucitron
96
A · Safe
CVEs total3
Unpatched0
Last CVEMay 28, 2025
Plugin page Download
Safety Verdict

Is tarteaucitron.io Safe to Use in 2026?

Generally Safe

Score 96/100

tarteaucitron.io has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: May 28, 2025Updated 1mo ago
Risk Assessment

The "tarteaucitronjs" v1.31.0 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events, and importantly, all identified SQL queries utilize prepared statements. The presence of nonce and capability checks, though limited, is also a good sign. However, a significant concern arises from the output escaping, with only 19% of outputs being properly escaped. This low rate indicates a high potential for Cross-Site Scripting (XSS) vulnerabilities, which aligns with the plugin's vulnerability history. Furthermore, the taint analysis shows one flow with unsanitized paths, which, while not classified as critical or high, still represents a potential security weakness that could be exploited. The plugin's vulnerability history, with 3 known CVEs including high and medium severity issues related to XSS and CSRF, reinforces the concerns about input sanitization and output escaping. The most recent vulnerability in 2025 suggests a continued pattern of such issues. While the current version has no unpatched vulnerabilities and a contained attack surface, the recurring nature of XSS and CSRF in its history, coupled with poor output escaping, warrants caution.

Key Concerns

  • Low percentage of properly escaped output
  • Taint flow with unsanitized paths
  • Known high severity CVE in history
  • Known medium severity CVE in history
  • Recurring XSS and CSRF vulnerability types
Vulnerabilities
3

tarteaucitron.io Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1
Low
1

3 total CVEs

CVE-2025-4955medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

tarteaucitron.io <= 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 28, 2025 Patched in 1.9.5 (42d)
CVE-2021-36889low · 3.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

tarteaucitron.js – Cookies legislation & GDPR (WordPress plugin) <= 1.6 - Cross-Site Scripting

Dec 17, 2021 Patched in 1.6.1 (766d)
CVE-2021-36887high · 8.8Cross-Site Request Forgery (CSRF)

tarteaucitron.js – Cookies legislation & GDPR <= 1.5.4 - Cross-Site Request Forgery to Cross-Site Scripting

Dec 9, 2021 Patched in 1.6 (775d)
Code Analysis
Analyzed Mar 16, 2026

tarteaucitron.io Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
17
4 escaped
Nonce Checks
3
Capability Checks
2
File Operations
0
External Requests
3
Bundled Libraries
0

Output Escaping

19% escaped21 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths
tarteaucitronForceLocale (tarteaucitron.php:116)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

tarteaucitron.io Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 24
actionadmin_menuAdmin.php:5
actionadmin_enqueue_scriptsAdmin.php:10
actionadmin_noticesAdmin.php:191
filterthe_contentSidebars.php:79
actioninittarteaucitron.php:20
actioninittarteaucitron.php:70
actionplugins_loadedtarteaucitron.php:77
actionwp_headtarteaucitron.php:115
actionadmin_bar_menutarteaucitron.php:128
actionadmin_print_stylestarteaucitron.php:137
actionwp_print_stylestarteaucitron.php:138
filterembed_oembed_htmltarteaucitron.php:153
filterautoptimize_filter_js_excludetarteaucitron.php:205
filterlitespeed_optimize_js_excludestarteaucitron.php:217
filterrocket_exclude_jstarteaucitron.php:218
filterrocket_minify_excluded_external_jstarteaucitron.php:219
filterwp-optimize-minify-default-exclusionstarteaucitron.php:220
filterperfmatters_delayed_scriptstarteaucitron.php:221
filtersgo_js_minify_excludetarteaucitron.php:222
filterflying_press_exclude_from_minify:jstarteaucitron.php:223
filterflying_press_exclude_from_defer:jstarteaucitron.php:224
filterwpassetcleanup_exclude_loaded_jstarteaucitron.php:225
actionsidebar_admin_setupWidgets.php:105
actionwidgets_initWidgets.php:108
Maintenance & Trust

tarteaucitron.io Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version
Downloads223K

Community Trust

Rating90/100
Number of ratings13
Active installs10K
Alternatives

tarteaucitron.io Alternatives

Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch

Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch

axeptio-sdk-integration

A
97

Axeptio is the best solution to make your website GDPR compatible and make your visitors smile!

8K 1 CVE
Cookie Dough Compliance and Consent for GDPR

Cookie Dough Compliance and Consent for GDPR

cookie-dough-compliance-and-consent-for-gdpr

A
100

Cookie Dough Compliance and Consent for GDPR is a GDPR cookie consent extension. Style your modal cookie.

500 No CVEs
GDPR Settings for WooCommerce

GDPR Settings for WooCommerce

gdpr-settings-for-wc

A
85

Adapt your e-commerce to the GDPR rules. This plugin allows you to easily add a check box to the woocommerce checkout to obtain the consent of the us &hellip;

200 No CVEs
HOB Advanced Cookies for WordPress

HOB Advanced Cookies for WordPress

advanced-cookies

A
85

Bring your site into compliance with the GDPR and Cookies legislation.

0 No CVEs
Complianz – GDPR/CCPA Cookie Consent

Complianz – GDPR/CCPA Cookie Consent

complianz-gdpr

A
92

Configure your Cookie Banner, Cookie Consent and Cookie Policy with our Wizard and Cookies Scan.

1.0M 10 CVEs
Developer Profile

tarteaucitron.io Developer Profile

Amauri

2 plugins · 14K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
218 days
View full developer profile
Detection Fingerprints

How We Detect tarteaucitron.io

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tarteaucitronjs/css/user.css/wp-content/plugins/tarteaucitronjs/css/admin-bar.min.css
Script Paths
https://cdntag.tarteaucitron.io/load.js
Version Parameters
tarteaucitronjs/css/user.css?ver=tarteaucitronjs/css/admin-bar.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
youtube_playervimeo_playerdailymotion_player
HTML Comments
<!--cloudflare-no-transform-->
Data Attributes
videoIDthemerelcontrolsshowinfoautoplay
JS Globals
tarteaucitron.job
FAQ

Frequently Asked Questions about tarteaucitron.io