CVE-2025-1624 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a widely used tool for WordPress websites to ensure compliance with the European Union’s General Data Protection Regulation (GDPR). The plugin enables site owners to manage cookie consent banners, which are essential for informing users about the use of cookies and obtaining their consent. However, a critical vulnerability (CVE-2025-1624) has been discovered in the plugin, which allows attackers with editor-level access to inject malicious JavaScript into the “Tab Content” field within the plugin’s settings. This malicious JavaScript is then executed when the user interacts with the consent banner. This vulnerability can result in the creation of backdoor accounts, account takeover, and session hijacking. With over 300,000 active installations, the exploitation of this vulnerability poses a significant threat to websites using the GDPR Cookie Compliance plugin.

CVE	CVE-2025-1624
Plugin	GDPR Cookie Compliance < 4.15.7
Critical	High
All Time	10 511 174
Active installations	300 000+
Publicly Published	January 17, 2025
Last Updated	January 17, 2025
Researcher	Dmitrii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1624 https://wpscan.com/vulnerability/2f4a402a-97f6-4638-9ce0-456ccd5606e9/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

CVE-2025-1624 was identified during a security review of the GDPR Cookie Compliance plugin. The vulnerability is located in the “Tab Content” field under the “Third Party Cookies” settings. This field allows administrators to add custom content to the tab that appears in the cookie consent banner. However, the plugin fails to properly sanitize or validate user input, allowing attackers to inject arbitrary JavaScript code. An attacker can inject a payload, which is then stored in the plugin’s settings. When a user interacts with the consent banner, the injected script is executed. This vulnerability arises due to the lack of input sanitization, allowing malicious code to be stored and executed on the frontend.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious JavaScript into a website, which is then executed by users visiting the site. In WordPress, XSS vulnerabilities are often found in plugins that allow user input, such as comment sections, form fields, or settings pages. A real-world example of XSS in WordPress is the vulnerability found in the WPForms plugin, which allowed attackers to inject malicious scripts into form fields, resulting in session hijacking and unauthorized actions. Similarly, CVE-2025-1624 in the GDPR Cookie Compliance plugin enables attackers to inject JavaScript into the “Tab Content” field, leading to the execution of malicious scripts when users interact with the cookie consent banner. This can result in account takeover, defacement of the site, or the installation of malicious backdoors.

Exploiting the XSS Vulnerability

To exploit CVE-2025-1624, an attacker with editor-level privileges:

POC:

1) You should go to the settings of this plugin 127.0.0.1/wordpress/wp-admin/admin.php?page=moove-gdpr&tab=third-party-cookies
2) Turn it on. Change "Tab Content" field to "Malicious JS code eval() and etc.
3) Save Settings
4) To trigger XSS you should reload page and hover on your text

____

The risks associated with CVE-2025-1624 are significant. If an attacker successfully exploits this vulnerability, they can hijack the session of an administrator or other user with elevated privileges, giving them full control over the WordPress site. This could lead to unauthorized access to sensitive data, installation of malicious plugins, modification of site content, or the creation of new user accounts with admin privileges. In a real-world scenario, an attacker could use this vulnerability to escalate their privileges and create a backdoor admin account, allowing them persistent access to the site, even after the vulnerability is patched. This is particularly concerning for websites handling sensitive user information, such as e-commerce sites or membership platforms. If exploited, this vulnerability could lead to data breaches, financial losses, and reputational damage. Additionally, attackers could use this vulnerability to install further malicious scripts or backdoors, further compromising the website’s security.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2025-1624, it is crucial for administrators to update the GDPR Cookie Compliance plugin to the latest patched version once a fix is released. Administrators should also restrict the unfiltered_html capability for non-admin users, particularly editors, to prevent them from injecting JavaScript into plugin settings. Proper input sanitization and validation should be implemented for all user input fields, especially those affecting frontend content, such as the “Tab Content” field. Additionally, site owners should implement Content Security Policies (CSP) and perform regular security audits to identify and mitigate potential XSS vulnerabilities. Limiting user permissions and periodically reviewing user roles can also help prevent privilege escalation attacks and reduce the potential impact of this vulnerability. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-1624, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.