Cookie Notice & Consent CVE-2025-49390
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in christophrado Cookie Notice & Consent cookie-notice-consent allows Stored XSS.This issue affects Cookie Notice & Consent: from n/a through <= 1.6.4.
AnalysisAI
Stored cross-site scripting in Cookie Notice & Consent plugin (versions ≤1.6.4) allows remote attackers to inject malicious JavaScript that executes in victim browsers. Exploitation requires user interaction to trigger the stored payload. EPSS score of 0.05% (16th percentile) suggests low probability of mass exploitation, though stored XSS often enables account takeover and privilege escalation in WordPress environments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Technical ContextAI
This vulnerability stems from improper input neutralization (CWE-79) in the Cookie Notice & Consent WordPress plugin by christophrado. Stored XSS occurs when user-supplied input is saved to the database without proper sanitization and later rendered in web pages without adequate output encoding. Unlike reflected XSS, stored variants persist across sessions and affect multiple users. The WordPress plugin ecosystem commonly exposes administrative interfaces where input validation failures create stored XSS attack surfaces-particularly in configuration panels, custom fields, and comment systems. The CVSS scope change (S:C) indicates the vulnerable component (plugin) differs from the impacted component (WordPress core session/authentication), typical of plugin-based XSS where attackers compromise the broader WordPress installation security context.
Affected ProductsAI
WordPress Cookie Notice & Consent plugin by christophrado, all versions from initial release through version 1.6.4 inclusive. The vulnerability affects installations where the plugin is active on WordPress sites. According to Patchstack database reference, this represents a broad version range including the latest publicly available release at time of disclosure. No CPE identifiers provided in available data. Vendor advisory and detailed affected version matrix available at https://patchstack.com/database/Wordpress/Plugin/cookie-notice-consent/vulnerability/wordpress-cookie-notice-consent-plugin-1-6-4-cross-site-scripting-xss-vulnerability.
RemediationAI
Upgrade Cookie Notice & Consent plugin to version 1.6.5 or later if available-verify current version from WordPress.org plugin repository or vendor directly, as fix version is not independently confirmed in provided data. Check Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cookie-notice-consent/vulnerability/wordpress-cookie-notice-consent-plugin-1-6-4-cross-site-scripting-xss-vulnerability for official patch status. If no patched version exists, implement compensating controls: restrict plugin configuration access to super-admin role only via User Role Editor or similar capability management plugin (trade-off: reduces operational flexibility for site managers); implement Web Application Firewall rules to block common XSS payloads in HTTP requests to wp-admin plugin endpoints (trade-off: may cause false positives requiring whitelist tuning); or temporarily disable the plugin and replace with alternative cookie consent solutions like CookieYes or Complianz until patch is released (trade-off: service interruption and migration effort). Apply WordPress security hardening including Content Security Policy headers to limit XSS impact.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today