The GDPR Cookie Compliance plugin is a widely used tool for WordPress sites, enabling them to display cookie consent banners and helping website owners comply with the European Union’s General Data Protection Regulation (GDPR). However, a serious vulnerability (CVE-2025-1623) has been discovered that allows attackers to inject malicious JavaScript code into the “Tracking ID” field under the plugin’s integrations settings. This vulnerability can lead to the execution of stored XSS (Cross-Site Scripting) scripts, allowing for the creation of a backdoor account and other malicious activities. With over 300,000 active installations, this vulnerability poses a significant security risk to websites using this plugin.
| CVE | CVE-2025-1623 |
| Plugin | GDPR Cookie Compliance < 4.15.7 |
| Critical | High |
| All Time | 10 511 174 |
| Active installations | 300 000+ |
| Publicly Published | February 17, 2025 |
| Last Updated | February 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1623 https://wpscan.com/vulnerability/40288fa0-50c6-4e13-9b92-968b060d3bf5/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 23, 2025 | Plugin testing and vulnerability detection in the GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD have been completed |
| January 23, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2025 | Registered CVE-2025-1623 |
Discovery of the Vulnerability
CVE-2025-1623 was found in the “Integrations” section of the GDPR Cookie Compliance plugin’s settings. This section allows users to enable integrations such as Google Tag Manager, which facilitates advanced tracking and analytics on WordPress websites. However, the plugin fails to properly sanitize input fields in this section, particularly the “Tracking ID” field, which is meant to store the Google Tag Manager tracking code. An attacker can exploit this flaw by injecting malicious JavaScript into the “Tracking ID” field. Once saved, the malicious code is stored in the plugin’s settings and executed when the page is reloaded and interacted with.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities in web applications, especially in platforms like WordPress, which allow user input in various places such as comments, forms, and settings fields. XSS vulnerabilities occur when an attacker injects malicious JavaScript into a webpage, which is then executed by the browser of a user who visits the page. This could lead to a variety of issues, such as session hijacking, stealing user credentials, defacing websites, or installing malicious scripts. A real-world example of a similar vulnerability occurred in the WordPress plugin WPForms, where attackers were able to inject malicious JavaScript into form fields. In this case, CVE-2025-1623 in the GDPR Cookie Compliance plugin enables attackers to inject harmful scripts into the “Tracking ID” field, leading to potential account takeover and unauthorized actions.
Exploiting the XSS Vulnerability
To exploit CVE-2025-1623, an attacker with editor-level privileges:
POC:
1) You should go to the settings of this plugin 127.0.0.1/wordpress/wp-admin/admin.php?page=moove-gdpr&tab=integrations 2) Change "Google Tag Manager" field to "On" and change "Tracking ID" field to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1)// 3) Save Settings 4) To trigger XSS you should reload page and hover on your text____
The risks associated with CVE-2025-1623 are high, particularly because the vulnerability can be exploited even by users with low-level privileges, such as editors. If an attacker successfully exploits this flaw, they could hijack the session of an administrator or any other user with elevated privileges. This would give the attacker full control over the WordPress site, allowing them to modify the site’s content, steal sensitive data, install malicious plugins, or create new admin accounts. In a real-world scenario, an attacker could use this vulnerability to escalate their privileges and create a backdoor admin account, allowing them persistent access to the site. This is especially dangerous for websites that handle sensitive user data, such as e-commerce or membership sites. The exploitation of this vulnerability could lead to data breaches, financial losses, reputational damage, and regulatory penalties.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2025-1623, it is essential for administrators to immediately update the GDPR Cookie Compliance plugin to the latest version once a fix is released. In addition, administrators should restrict the unfiltered_html capability for non-admin users, particularly editors, to prevent them from injecting JavaScript into plugin settings. Input sanitization and validation should be implemented for all user inputs, especially in settings that affect frontend content, such as the “Tracking ID” field. Implementing Content Security Policies (CSP) and conducting regular security audits can help identify and block potential XSS vulnerabilities before they can be exploited. Administrators should also limit user permissions and periodically review user roles to prevent privilege escalation attacks and reduce the potential impact of this vulnerability. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1623, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.