CVE-2025-50014

Vulnerability

Overview The PDPA Consent for Thailand WordPress plugin (versions <= 1.1.1) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed whenever a user visits the affected page.

Exploitation

Details Exploitation requires a privileged user to perform an action, such as clicking a malicious link or submitting a crafted form, but does not require the attacker to have any special privileges beyond the ability to input data [1]. Once the malicious script is stored, it will be executed in the context of visitors' browsers when they access the compromised site.

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which are executed when guests visit the website [1]. This can lead to data theft, defacement, or further compromise of site visitors.

Mitigation

The vulnerability has been addressed in a patch; users are advised to update the plugin immediately to the latest available version [1]. If an update is not possible, site administrators should seek assistance from their hosting provider or a web developer to mitigate the risk.