CVE-2025-67554

Overview

A stored cross-site scripting (XSS) vulnerability exists in the Cookie Notice & Compliance for GDPR / CCPA WordPress plugin (versions up to and including 2.5.8). The flaw arises from improper neutralization of user input during web page generation, allowing malicious JavaScript to be stored and executed in the context of an administrator's session [1].

Exploitation

Requirements Exploitation requires a user with administrative privileges to perform an action such as clicking a crafted link or submitting a form, meaning the attacker must first convince a privileged user to trigger the payload. Once activated, the injected script is saved and will execute for other visitors [1].

Impact

Successful exploitation could allow attackers to inject arbitrary scripts, including redirects, advertisements, or other HTML payloads, potentially compromising site integrity and user sessions [1].

Mitigation

The developer has patched this vulnerability in version 2.5.9. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended [1].