The GDPR Cookie Compliance plugin is an essential tool for WordPress websites aiming to comply with the General Data Protection Regulation (GDPR) by providing cookie consent banners and settings. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1619) has been identified in the plugin. This vulnerability allows an attacker with editor-level privileges to inject malicious JavaScript into the plugin’s “Checkbox Labels” field. Once the injected JavaScript is saved, it is stored in the WordPress database and executed when users interact with the cookie consent banner on the site. This can lead to account takeover, session hijacking, and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability represents a major security risk for websites using the GDPR Cookie Compliance plugin.
| CVE | CVE-2025-1620 |
| Plugin | GDPR Cookie Compliance < 4.15.7 |
| Critical | High |
| All Time | 10 511 174 |
| Active installations | 300 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1619 https://wpscan.com/vulnerability/ae9bc19d-1634-4501-a258-8c56b2afee88/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 23, 2025 | Plugin testing and vulnerability detection in the GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD have been completed |
| January 23, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2025 | Registered CVE-2025-1619 |
Discovery of the Vulnerability
CVE-2025-1619 was discovered during a security audit of the GDPR Cookie Compliance plugin. The vulnerability exists in the “Checkbox Labels” field located under the “Screen Settings” tab in the plugin’s settings. This field is meant to allow users to customize the labels for checkboxes displayed on the cookie consent banner. However, the plugin does not properly sanitize or validate user input, allowing for the injection of malicious JavaScript. An attacker can input a payload, which is then saved in the plugin’s settings. This malicious code is later executed when the user interacts with the consent banner. The lack of input sanitization is the root cause of this vulnerability, leaving the plugin vulnerable to XSS attacks.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common vulnerability that arises when an attacker is able to inject malicious JavaScript into a web page, which is then executed in the browsers of unsuspecting users. XSS attacks can lead to a range of consequences, such as stealing session cookies, hijacking user accounts, defacing websites, or injecting malicious scripts that compromise site security. In WordPress, XSS vulnerabilities are often found in plugins that allow user input without proper sanitization. A notable real-world example is the XSS vulnerability found in the WPForms plugin, which allowed attackers to inject JavaScript into form fields. Similarly, CVE-2025-1619 in the GDPR Cookie Compliance plugin allows attackers to inject JavaScript into the “Checkbox Labels” field, potentially compromising the site and allowing the attacker to escalate their privileges or perform unauthorized actions.
Exploiting the XSS Vulnerability
To exploit CVE-2025-1619, an attacker with editor-level privileges:
POC:
1) You should go to the settings of this plugin http://127.0.0.1/wordpress/wp-admin/admin.php?page=moove-gdpr&tab=screen-settings 2) Change "Checkbox Labels " field to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1)// 3) Save Settings 4) To trigger XSS you should go to any accessible page____
The potential risks of CVE-2025-1619 are significant. If an attacker successfully exploits this vulnerability, they can hijack the session of an administrator or another user with elevated privileges. This could give the attacker full control over the WordPress site, allowing them to modify site content, steal sensitive user data, install malicious plugins, or deface the site. In a real-world scenario, an attacker could use the vulnerability to escalate their privileges and create a backdoor admin account, which would allow them persistent access to the site, even after the vulnerability is patched. This is especially concerning for sites that handle sensitive information, such as e-commerce websites or membership platforms. Exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2025-1619, it is essential for administrators to update the GDPR Cookie Compliance plugin to the latest version once a fix is released. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Input sanitization and validation should be implemented for all fields that accept user input, especially those affecting the frontend, such as the “Button – Hover Label” field. Implementing Content Security Policies (CSP) and performing regular security audits can help identify and mitigate potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1619, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.