The Implied Cookie Consent plugin in Senktec, when installed on WordPress sites through version 1.3, fails to properly neutralize user input during web page generation. This leads to a reflected cross‑site scripting flaw (CWE‑79) where crafted input can be reflected back to the browser, allowing an attacker to inject arbitrary JavaScript. Such code can steal session cookies, deface the site, or redirect users to malicious destinations, compromising confidentiality, integrity, and availability of the affected site.

Any WordPress installation that has the Senktec Implied Cookie Consent plugin installed with a version number of 1.3 or earlier. The vulnerability is present from the earliest release through the last affected version 1.3, affecting all sites that rely on this plugin for cookie consent functionality.

The CVSS base score of 7.1 indicates high impact, while the EPSS score of less than 1% suggests a low overall exploitation probability as of this assessment. The flaw is not listed in CISA’s KEV catalog. Exploitation requires an attacker to deliver a specially crafted URL or input that the plugin echoes to the browser; the attack vector is public, meaning any visitor who follows the link can be affected. Once the script executes, the attacker can hijack the user’s session, perform phishing, or inject malicious content, leading to significant risk for site owners.