The GDPR Cookie Compliance plugin is a popular solution for WordPress websites to help them comply with the European Union’s General Data Protection Regulation (GDPR). It is primarily used to display cookie consent banners that inform users about the use of cookies on the website and collect their consent. However, a critical vulnerability, CVE-2025-1621, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript into the “Accept – Button Label” field in the plugin’s settings. The injected script can later be executed when a user interacts with the consent banner, leading to potential account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability presents a significant security risk.
| CVE | CVE-2025-1621 |
| Plugin | GDPR Cookie Compliance < 4.15.7 |
| Critical | High |
| All Time | 10 511 174 |
| Active installations | 300 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1621 https://wpscan.com/vulnerability/c30b9631-2024-4081-9cc5-8294a77c5ebb/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 23, 2025 | Plugin testing and vulnerability detection in the GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD have been completed |
| January 23, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2025 | Registered CVE-2025-1621 |
Discovery of the Vulnerability
CVE-2025-1621 was identified during a security review of the GDPR Cookie Compliance plugin. The vulnerability lies in the “Accept – Button Label” field within the plugin’s banner settings. This field is designed to allow users to customize the text of the accept button on the cookie consent banner. However, the plugin fails to sanitize the input in this field properly, which allows an attacker to inject malicious JavaScript code. For instance, an attacker can insert a payload. The payload is then saved in the plugin’s settings and executed when the banner is displayed on the frontend. The issue is rooted in the plugin’s inadequate input validation and sanitization, which leaves it vulnerable to exploitation.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a well-known vulnerability that occurs when an attacker is able to inject malicious JavaScript code into a website, which is then executed in the browsers of users who visit the site. XSS attacks can have serious consequences, such as session hijacking, defacement of websites, stealing sensitive data, and compromising user accounts. WordPress plugins are frequently susceptible to XSS vulnerabilities, especially when they allow users to input data without proper sanitization. A real example of an XSS vulnerability in WordPress was found in the WPForms plugin, where attackers could inject JavaScript into form fields. Similarly, CVE-2025-1621 in the GDPR Cookie Compliance plugin allows attackers to inject malicious JavaScript into the “Accept – Button Label” field, which can trigger XSS when the consent banner is displayed.
Exploiting the XSS Vulnerability
To exploit CVE-2025-1621, an attacker with editor-level privileges:
POC:
1) You should go to the settings of this plugin http://127.0.0.1/wordpress/wp-admin/admin.php?page=moove-gdpr&tab=banner-settings 2) Change "Accept - Button Label" field to "Malicious JS code eval() and etc. 3) Save Settings 4) To trigger XSS you should go to any accessible page____
The risks associated with CVE-2025-1621 are substantial. If an attacker successfully exploits this vulnerability, they could hijack the session of an administrator or another user with elevated privileges, effectively gaining full control of the WordPress site. This could lead to unauthorized access to sensitive data, the installation of malicious plugins, site defacement, or the creation of new user accounts with admin privileges. In a real-world scenario, an attacker could create a backdoor admin account, allowing them persistent access to the site even after the vulnerability is patched. This is especially concerning for websites that handle sensitive user data, such as e-commerce sites or membership platforms, as the exposure of this data could result in legal and financial consequences. Additionally, the attacker could install additional malicious scripts or backdoors, leading to further exploitation of the website.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2025-1621, administrators should immediately update the GDPR Cookie Compliance plugin to the latest patched version once a fix is released. Administrators should also restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all user input fields, particularly those that affect frontend content, such as the “Accept – Button Label” field. Implementing Content Security Policies (CSP) and conducting regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1621, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.