Vulnerabilities and security researches forcookie-notice-consent cookie-notice-consent

Nov 11, 2025

CVE, Research URL: CVE-2025-49390
Home page URL: Security reports for Cookie Notice & Consent
Application: Cookie Notice & Consent
Date: Nov 06, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in christophrado Cookie Notice & Consent cookie-notice-consent allows Stored XSS.This issue affects Cookie Notice & Consent: from n/a through <= 1.6.4.
Affected versions: max 1.6.4.
Status: vulnerable

CVE, Research URL: CVE-2025-10496
Home page URL: Security reports for Cookie Notice & Consent
Application: Cookie Notice & Consent
Date: Oct 09, 2025
Research Description: The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.6.6.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-41948
Home page URL: Security reports for Cookie Notice & Consent
Application: Cookie Notice & Consent
Date: Sep 25, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Christoph Rado Cookie Notice & Consent plugin <= 1.6.0 versions.
Affected versions: max 1.6.1.
Status: vulnerable

CVE, Research URL: ef7eb3a1f8ceb3e74177520366ebf799e8492b1a
Home page URL: Security reports for Cookie Notice & Consent
Application: Cookie Notice & Consent
Date: Sep 05, 2023
Research Description: Cookie Notice & Consent [cookie-notice-consent] < 1.6.1 Cookie Notice & Consent 1.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 1.6.1.
Status: vulnerable