Skip to main content

WP GDPR Cookie Consent CVE-2025-53316

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 00:51 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel WP GDPR Cookie Consent wp-gdpr-cookie-consent allows Stored XSS.This issue affects WP GDPR Cookie Consent: from n/a through <= 1.0.0.

AnalysisAI

Stored cross-site scripting in WP GDPR Cookie Consent plugin versions up to 1.0.0 can be triggered via cross-site request forgery (CSRF) attack, allowing remote attackers to inject malicious JavaScript into the WordPress site without authentication but requiring victim administrator interaction. The chained CSRF-to-XSS vulnerability enables attackers to execute JavaScript in administrator contexts, potentially leading to site takeover. EPSS probability is low (0.03%), no public exploit confirmed, and no known active exploitation at time of analysis.

Technical ContextAI

This is a chained vulnerability combining CWE-352 (Cross-Site Request Forgery) with stored XSS in a WordPress plugin. WP GDPR Cookie Consent is a WordPress plugin designed to manage cookie consent notices for GDPR compliance. The CSRF flaw allows attackers to forge requests on behalf of authenticated administrators, while the stored XSS component indicates that malicious payloads persist in the database and execute when administrators view affected pages. The CVSS vector AV:N/AC:L/PR:N indicates network-exploitable without authentication, though UI:R confirms required user interaction. The S:C (scope changed) metric indicates the vulnerability breaks out of the plugin's security context into the broader WordPress environment, enabling JavaScript execution with administrator privileges and access to WordPress APIs, other plugins, and sensitive user data.

Affected ProductsAI

WordPress sites running WP GDPR Cookie Consent plugin by Shahjahan Jewel, affecting all versions from initial release through version 1.0.0. The vulnerability was reported by Patchstack audit team (audit@patchstack.com). The plugin is distributed through WordPress.org plugin repository. Vendor advisory available at Patchstack database: https://patchstack.com/database/Wordpress/Plugin/wp-gdpr-cookie-consent/vulnerability/wordpress-wp-gdpr-cookie-consent-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

RemediationAI

Update WP GDPR Cookie Consent to a version newer than 1.0.0 if available. Check the WordPress plugin repository or contact plugin author Shahjahan Jewel for patched release. Patchstack database reference at https://patchstack.com/database/Wordpress/Plugin/wp-gdpr-cookie-consent/vulnerability/wordpress-wp-gdpr-cookie-consent-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve should contain patch details, though specific fix version is not confirmed in available data. If no patched version exists, immediately deactivate and remove the plugin, replacing it with an alternative GDPR cookie consent solution such as CookieYes, Complianz, or GDPR Cookie Compliance. As interim mitigation if the plugin must remain active, implement Content Security Policy headers to restrict inline script execution (note this may break legitimate plugin functionality), configure web application firewall rules to detect CSRF patterns targeting WordPress admin endpoints, and educate administrators to verify legitimacy of any external links before clicking while logged into WordPress admin panel. Consider enabling two-factor authentication for WordPress administrators to add defense-in-depth, though this does not directly prevent CSRF-to-XSS exploitation.

Share

CVE-2025-53316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy