Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in christophrado Cookie Notice & Consent cookie-notice-consent allows Stored XSS.This issue affects Cookie Notice & Consent: from n/a through <= 1.6.4.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation that allows stored Cross‑Site Scripting (XSS). An attacker can inject malicious scripts that run in a visitor’s browser when the affected WordPress plugin renders content. The flaw is identified as CWE‑79 and involves stored user input that is later displayed without proper sanitization.

Affected Systems

The WordPress plugin "Cookie Notice & Consent" by christophrado is affected in all versions up to and including 1.6.4; later releases are not impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% implies a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Attackers can exploit it by submitting malicious content through the plugin’s configuration or administrative interface, which is then stored and rendered to site visitors without requiring privileged access.

Generated by OpenCVE AI on May 1, 2026 at 06:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cookie Notice & Consent plugin to a release newer than 1.6.4.
  • If an upgrade is not possible immediately, temporarily disable the plugin or remove stored configuration settings that allow user‑supplied content to be stored.
  • Apply a web application firewall or server‑side filtering rules to block script tags or XSS payloads when submitted through the plugin’s configuration fields.

Generated by OpenCVE AI on May 1, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Christophrado
Christophrado cookie Notice & Consent
Wordpress
Wordpress wordpress
Vendors & Products Christophrado
Christophrado cookie Notice & Consent
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in christophrado Cookie Notice & Consent cookie-notice-consent allows Stored XSS.This issue affects Cookie Notice & Consent: from n/a through <= 1.6.4.
Title WordPress Cookie Notice & Consent plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Christophrado Cookie Notice & Consent
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:02.890Z

Reserved: 2025-06-04T15:43:46.346Z

Link: CVE-2025-49390

cve-icon Vulnrichment

Updated: 2025-11-10T19:35:31.686Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:53.260

Modified: 2026-04-27T20:16:14.987

Link: CVE-2025-49390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses