Skip to main content

Cookie Notice & Consent CVE-2025-49390

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 5.4

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in christophrado Cookie Notice & Consent cookie-notice-consent allows Stored XSS.This issue affects Cookie Notice & Consent: from n/a through <= 1.6.4.

AnalysisAI

Stored cross-site scripting in Cookie Notice & Consent plugin (versions ≤1.6.4) allows remote attackers to inject malicious JavaScript that executes in victim browsers. Exploitation requires user interaction to trigger the stored payload. EPSS score of 0.05% (16th percentile) suggests low probability of mass exploitation, though stored XSS often enables account takeover and privilege escalation in WordPress environments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Technical ContextAI

This vulnerability stems from improper input neutralization (CWE-79) in the Cookie Notice & Consent WordPress plugin by christophrado. Stored XSS occurs when user-supplied input is saved to the database without proper sanitization and later rendered in web pages without adequate output encoding. Unlike reflected XSS, stored variants persist across sessions and affect multiple users. The WordPress plugin ecosystem commonly exposes administrative interfaces where input validation failures create stored XSS attack surfaces-particularly in configuration panels, custom fields, and comment systems. The CVSS scope change (S:C) indicates the vulnerable component (plugin) differs from the impacted component (WordPress core session/authentication), typical of plugin-based XSS where attackers compromise the broader WordPress installation security context.

Affected ProductsAI

WordPress Cookie Notice & Consent plugin by christophrado, all versions from initial release through version 1.6.4 inclusive. The vulnerability affects installations where the plugin is active on WordPress sites. According to Patchstack database reference, this represents a broad version range including the latest publicly available release at time of disclosure. No CPE identifiers provided in available data. Vendor advisory and detailed affected version matrix available at https://patchstack.com/database/Wordpress/Plugin/cookie-notice-consent/vulnerability/wordpress-cookie-notice-consent-plugin-1-6-4-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade Cookie Notice & Consent plugin to version 1.6.5 or later if available-verify current version from WordPress.org plugin repository or vendor directly, as fix version is not independently confirmed in provided data. Check Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cookie-notice-consent/vulnerability/wordpress-cookie-notice-consent-plugin-1-6-4-cross-site-scripting-xss-vulnerability for official patch status. If no patched version exists, implement compensating controls: restrict plugin configuration access to super-admin role only via User Role Editor or similar capability management plugin (trade-off: reduces operational flexibility for site managers); implement Web Application Firewall rules to block common XSS payloads in HTTP requests to wp-admin plugin endpoints (trade-off: may cause false positives requiring whitelist tuning); or temporarily disable the plugin and replace with alternative cookie consent solutions like CookieYes or Complianz until patch is released (trade-off: service interruption and migration effort). Apply WordPress security hardening including Content Security Policy headers to limit XSS impact.

Share

CVE-2025-49390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy