The Cookie Notice & Consent WordPress plugin stores data supplied via the uuid parameter without proper sanitization or output escaping. As a result, an unauthenticated attacker can inject arbitrary JavaScript into the stored record. When the plugin renders that data in any page viewed by a user, the malicious script executes in the victim’s browser context, enabling session hijacking, credential theft, or defacement of the site’s content. This vulnerability is a classic example of CWE‑80, delivering cross‑site scripting payloads that compromise confidentiality, integrity, and potentially availability of the user experience.

Any WordPress installation running Cookie Notice & Consent version 1.6.5 or earlier is affected. Versions newer than 1.6.5 are not impacted, as the issue was addressed in later releases.

The CVSS base score of 7.2 indicates high severity, while an EPSS score of less than 1% suggests low probability of exploitation today. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would target the plugin’s logging or configuration endpoints with a crafted uuid value that contains malicious script. Once stored, the script is rendered whenever a page retrieves that value, causing it to execute in the victim’s browser. The description does not specify the exact endpoint or whether authentication is required, so the details about an exposed admin URL or fuzzing attempts are inferred. The lack of input validation or output escaping on the uuid field is the core weakness enabling this exploit path.