Skip to main content

Implied Cookie Consent CVE-2025-25113

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:26 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Implied Cookie Consent allows Reflected XSS. This issue affects Implied Cookie Consent: from n/a through 1.3.

AnalysisAI

Reflected cross-site scripting in Implied Cookie Consent WordPress plugin through version 1.3 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs requiring user interaction. Reported by Patchstack's security audit team, this network-accessible vulnerability scores CVSS 7.1 due to scope change enabling attacks across security contexts. EPSS exploitation probability is low at 0.15% (36th percentile), and no active exploitation has been confirmed in CISA KEV, though Patchstack tracking suggests awareness in vulnerability databases targeting WordPress plugins.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the Implied Cookie Consent WordPress plugin, which handles cookie consent banner functionality. The plugin fails to properly sanitize or encode user-supplied input before rendering it in HTML responses, allowing injection of malicious JavaScript. WordPress plugins commonly suffer from XSS when handling URL parameters, form inputs, or AJAX endpoints without using WordPress's built-in sanitization functions like esc_html(), esc_attr(), or wp_kses(). The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the plugin's security context, typical when injected scripts can access WordPress cookies, session tokens, or interact with other site components under the same origin.

Affected ProductsAI

WordPress plugin Implied Cookie Consent versions from the initial release through version 1.3 are confirmed vulnerable. The plugin is developed by NotFound and available through the WordPress plugin repository. Specific version history and installation counts are not provided in available data, but Patchstack tracking indicates active monitoring of this WordPress plugin. Organizations can verify affected installations by checking plugin version in WordPress admin dashboard under Plugins section.

RemediationAI

Upgrade to Implied Cookie Consent version 1.4 or later if available, as version 1.3 is confirmed vulnerable. Check the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/implied-cookie-consent/ for the latest patched version and installation instructions. If immediate patching is not possible, implement Web Application Firewall (WAF) rules to filter suspicious URL parameters and block common XSS patterns in HTTP requests to WordPress endpoints, though this may affect legitimate functionality if parameters are aggressively filtered. Alternatively, temporarily deactivate the Implied Cookie Consent plugin and implement cookie consent using a different maintained plugin or native browser consent mechanisms, accepting the trade-off of reconfiguring consent workflows. For defense in depth, ensure WordPress core and all other plugins are updated, and configure Content Security Policy (CSP) headers to restrict inline script execution, noting this may require adjusting other plugins that rely on inline JavaScript.

Share

CVE-2025-25113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy