CVE-2025-1620 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a popular WordPress tool designed to help websites comply with the European Union’s General Data Protection Regulation (GDPR). It enables website owners to display cookie consent banners and floating buttons to obtain user consent for cookies. However, a severe vulnerability, CVE-2025-1620, has been discovered in this plugin. This vulnerability allows attackers with editor-level privileges to inject malicious JavaScript into the “Button – Hover Label” field within the plugin settings, which is executed when users hover over the settings icon in the floating cookie consent button. This type of Stored Cross-Site Scripting (XSS) attack can result in the creation of backdoor accounts, account takeover, and other malicious actions. With over 300,000 active installations, this vulnerability poses a significant risk for WordPress sites using the GDPR Cookie Compliance plugin.

CVE	CVE-2025-1620
Plugin	GDPR Cookie Compliance < 4.15.7
Critical	High
All Time	10 511 174
Active installations	300 000+
Publicly Published	January 17, 2025
Last Updated	January 17, 2025
Researcher	Dmitrii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1620 https://wpscan.com/vulnerability/923db805-92e7-4489-8e57-374a19f817d7/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The vulnerability was identified during a security assessment of the GDPR Cookie Compliance plugin. It is found in the “Button – Hover Label” field located in the “Floating Button” settings. This field is used to customize the hover text that appears when users interact with the floating cookie consent button. However, the plugin fails to sanitize or validate the user input in this field, allowing an attacker to inject arbitrary JavaScript code. For example, an attacker can enter a payload, which is stored in the WordPress database when the settings are saved. When a user interacts with the floating button, the malicious JavaScript is executed. This flaw is a result of inadequate input sanitization, leaving the plugin vulnerable to XSS attacks.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious JavaScript into a website, which then runs in the browsers of unsuspecting visitors. XSS vulnerabilities are common in web applications that allow users to input data, such as comments, forms, or settings. If these inputs are not properly sanitized, malicious scripts can be executed in a victim’s browser, leading to session hijacking, unauthorized access to sensitive data, and account takeover. A real-world example of XSS in WordPress was seen in the WPForms plugin, where attackers could inject malicious scripts into form fields. Similarly, CVE-2025-1620 in the GDPR Cookie Compliance plugin allows attackers to inject JavaScript into the “Button – Hover Label” field, which can lead to severe consequences, including account takeover and the creation of backdoor accounts.

Exploiting the XSS Vulnerability

To exploit CVE-2025-1620, an attacker with editor-level privileges:

POC:

1) You should go to the settings of this plugin http://127.0.0.1/wordpress/wp-admin/admin.php?page=moove-gdpr&tab=floating-button
2) Change "Button - Hover Label " field to "Malicious JS code eval() and etc.
3) Save Settings
4) To trigger XSS you should go to any accessible page and save cookie consent. After that you should hover on settings icon in left side of the screen

____

The risks associated with CVE-2025-1620 are significant. If exploited, the attacker could hijack the session of an administrator or another user with elevated privileges, granting the attacker full control of the WordPress site. This could lead to unauthorized access to sensitive information, such as user data, financial details, or intellectual property. In a real-world scenario, an attacker could use this vulnerability to escalate their privileges and create a backdoor admin account, giving them persistent access to the site even after the vulnerability is patched. This is especially concerning for websites that handle sensitive user data, such as e-commerce or membership sites. If exploited, this vulnerability could lead to data breaches, financial losses, and reputational damage. Additionally, the attacker could install malicious plugins or modify site content, further compromising the integrity of the site.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2025-1620, it is essential for administrators to update the GDPR Cookie Compliance plugin to the latest version once a fix is released. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Input sanitization and validation should be implemented for all fields that accept user input, especially those affecting the frontend, such as the “Button – Hover Label” field. Implementing Content Security Policies (CSP) and performing regular security audits can help identify and mitigate potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1620, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.