Implied Cookie Consent CVE-2025-25113
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Implied Cookie Consent allows Reflected XSS. This issue affects Implied Cookie Consent: from n/a through 1.3.
AnalysisAI
Reflected cross-site scripting in Implied Cookie Consent WordPress plugin through version 1.3 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs requiring user interaction. Reported by Patchstack's security audit team, this network-accessible vulnerability scores CVSS 7.1 due to scope change enabling attacks across security contexts. EPSS exploitation probability is low at 0.15% (36th percentile), and no active exploitation has been confirmed in CISA KEV, though Patchstack tracking suggests awareness in vulnerability databases targeting WordPress plugins.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the Implied Cookie Consent WordPress plugin, which handles cookie consent banner functionality. The plugin fails to properly sanitize or encode user-supplied input before rendering it in HTML responses, allowing injection of malicious JavaScript. WordPress plugins commonly suffer from XSS when handling URL parameters, form inputs, or AJAX endpoints without using WordPress's built-in sanitization functions like esc_html(), esc_attr(), or wp_kses(). The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the plugin's security context, typical when injected scripts can access WordPress cookies, session tokens, or interact with other site components under the same origin.
Affected ProductsAI
WordPress plugin Implied Cookie Consent versions from the initial release through version 1.3 are confirmed vulnerable. The plugin is developed by NotFound and available through the WordPress plugin repository. Specific version history and installation counts are not provided in available data, but Patchstack tracking indicates active monitoring of this WordPress plugin. Organizations can verify affected installations by checking plugin version in WordPress admin dashboard under Plugins section.
RemediationAI
Upgrade to Implied Cookie Consent version 1.4 or later if available, as version 1.3 is confirmed vulnerable. Check the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/implied-cookie-consent/ for the latest patched version and installation instructions. If immediate patching is not possible, implement Web Application Firewall (WAF) rules to filter suspicious URL parameters and block common XSS patterns in HTTP requests to WordPress endpoints, though this may affect legitimate functionality if parameters are aggressively filtered. Alternatively, temporarily deactivate the Implied Cookie Consent plugin and implement cookie consent using a different maintained plugin or native browser consent mechanisms, accepting the trade-off of reconfiguring consent workflows. For defense in depth, ensure WordPress core and all other plugins are updated, and configure Content Security Policy (CSP) headers to restrict inline script execution, noting this may require adjusting other plugins that rely on inline JavaScript.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today