CVE-2025-1622 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin for WordPress is widely used to help websites comply with the European Union’s General Data Protection Regulation (GDPR). One of the core features of the plugin is its cookie consent banner, which informs users about the use of cookies and requests their consent. However, a critical vulnerability, CVE-2025-1622, has been identified in the plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows an attacker with editor-level access to inject malicious JavaScript into the “Cookie Banner Content” field. Once saved, the injected script is stored and executed when the banner is displayed on the site’s frontend, potentially leading to account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability poses a significant security risk for WordPress websites using the GDPR Cookie Compliance plugin.

CVE	CVE-2025-1622
Plugin	GDPR Cookie Compliance < 4.15.7
Critical	High
All Time	10 511 174
Active installations	300 000+
Publicly Published	January 17, 2025
Last Updated	January 17, 2025
Researcher	Dmitrii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1622 https://wpscan.com/vulnerability/7a903d61-2792-4fe0-a26b-f400f4a3124b/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The vulnerability was discovered during a security audit of the GDPR Cookie Compliance plugin. The issue is related to the lack of input sanitization in the “Cookie Banner Content” field located under the “Advanced” settings. This field is designed to allow users to customize the content of the cookie consent banner. However, it fails to sanitize or validate JavaScript input, allowing an attacker to inject malicious code. For example, an attacker can inject JavaScript into the field. Once saved, this malicious payload is stored in the WordPress database and executed when the consent banner is displayed on the frontend. This flaw occurs because the plugin does not adequately sanitize user input, leading to a vulnerability that can be exploited by attackers with editor-level privileges.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into a website, which are then executed in the browser of any user who views the affected page. XSS vulnerabilities can be used to steal cookies, hijack sessions, and perform unauthorized actions on behalf of the victim. In WordPress, XSS vulnerabilities are commonly found in plugins that allow user input without proper sanitization. A real-world example of XSS in WordPress was found in the WPForms plugin, where an attacker could inject JavaScript into form fields to steal sensitive information. Similarly, CVE-2025-1622 in the GDPR Cookie Compliance plugin allows attackers to inject JavaScript into the “Cookie Banner Content” field, leading to session hijacking, account takeover, or the creation of backdoor admin accounts.

Exploiting the XSS Vulnerability

To exploit CVE-2025-1622, an attacker with editor-level privileges:

POC:

1) You should go to the settings of this plugin http://127.0.0.1/wordpress/wp-admin/admin.php?page=moove-gdpr&tab=banner-settings
2) Change "Cookie Banner Content" field  in "Advanced" settings to "Malicious JS code eval() and etc.
3) Save Settings
4) To trigger XSS you should go to any accessible page 

____

The potential risks associated with CVE-2025-1622 are considerable. If exploited, the attacker could hijack the session of an administrator or another user with elevated privileges, granting the attacker full control over the WordPress site. This could lead to unauthorized access to sensitive data, modification of site content, and the installation of malicious plugins. In a real-world scenario, an attacker could create a backdoor admin account, allowing them persistent access to the site even after the vulnerability is patched. This is particularly concerning for websites that handle sensitive user information, such as e-commerce or membership sites, where the exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Additionally, an attacker could use the backdoor to install further malicious code, compromising the security of other systems connected to the WordPress site.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2025-1622, administrators should immediately update the GDPR Cookie Compliance plugin to the latest patched version once a fix is released. Administrators should also restrict the unfiltered_html capability for non-admin users, especially editors, to prevent JavaScript injection in plugin settings. It is essential to properly sanitize and validate all user input fields, particularly those that affect frontend content, such as the “Cookie Banner Content” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1622, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.