CVE-2025-49866

Vulnerability

Description A reflected Cross-Site Scripting (XSS) vulnerability exists in Nikel's Beautiful Cookie Consent Banner plugin for WordPress, affecting versions from n/a through 4.6.1 [1]. The root cause is improper neutralization of user input during web page generation, enabling the injection of arbitrary HTML and JavaScript into the page output [1].

Exploitation

Attackers can exploit this flaw by crafting a malicious link or visiting a specially prepared page, which requires a privileged user (admin or similar) to click the link or submit a form [1]. This user interaction is necessary for successful exploitation, and the vulnerability does not require authentication from the attacker [1].

Impact

Successful exploitation could allow a malicious actor to inject scripts that execute in the context of the victim's browser session, such as redirects, advertisements, or other HTML payloads, potentially compromising the integrity of the website for visitors [1].

Mitigation

The vendor has released version 4.6.2 which resolves the vulnerability [1]. Users are strongly advised to update immediately or enable auto-updates if using a Patchstack protection service [1]. No workaround is provided, and due to the specific nature of the XSS, Patchstack cannot assign a virtual patch [1].