The GDPR Cookie Compliance plugin is a popular solution for WordPress websites to help them comply with the European Union’s General Data Protection Regulation (GDPR). It is primarily used to display cookie consent banners that inform users about the use of cookies on the website and collect their consent. However, a critical vulnerability, CVE-2025-1621, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript into the “Accept – Button Label” field in the plugin’s settings. The injected script can later be executed when a user interacts with the consent banner, leading to potential account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability presents a significant security risk.
CVE-2025-1621 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC
