Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner beautiful-and-responsive-cookie-consent allows Reflected XSS.This issue affects Beautiful Cookie Consent Banner: from n/a through <= 4.6.1.
Published: 2025-07-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Nikel's Beautiful Cookie Consent Banner plugin arises from improper neutralization of user input during web page rendering. This reflected XSS flaw allows attackers to inject arbitrary client‑side scripts that execute within the victim’s browser. Attackers could steal session cookies, perform man‑in‑the‑middle attacks, or deface the site, compromising confidentiality, integrity, and availability of user data.

Affected Systems

All versions of the plugin up through 4.6.1 are affected, with no release after that addressing the flaw. The product is a WordPress plugin distributed by the vendor Nikel. Site administrators deploying the plugin should adjust the version matching to avoid vulnerable builds.

Risk and Exploitability

The CVSS score is 7.1, indicating high severity. The EPSS score of less than 1% suggests the probability of successful exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is web‑based and remote, requiring a victim to visit a maliciously crafted URL or input field managed by the plugin; no authentication is required.

Generated by OpenCVE AI on April 30, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Beautiful Cookie Consent Banner plugin immediately to a fixed version newer than 4.6.1, obtained from the official source or WordPress repository.
  • If upgrading is not possible, remove the plugin entirely or replace it with a vetted alternative that sanitizes inputs.
  • Deploy a web application firewall (WAF) rule set that filters XSS payloads targeting the plugin’s input vectors, following CWE‑79 mitigation best practices.

Generated by OpenCVE AI on April 30, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19989 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner allows Reflected XSS. This issue affects Beautiful Cookie Consent Banner: from n/a through 4.6.1.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner allows Reflected XSS. This issue affects Beautiful Cookie Consent Banner: from n/a through 4.6.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner beautiful-and-responsive-cookie-consent allows Reflected XSS.This issue affects Beautiful Cookie Consent Banner: from n/a through <= 4.6.1.
Title WordPress Beautiful Cookie Consent Banner <= 4.6.1 - Cross Site Scripting (XSS) Vulnerability WordPress Beautiful Cookie Consent Banner plugin <= 4.6.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner allows Reflected XSS. This issue affects Beautiful Cookie Consent Banner: from n/a through 4.6.1.
Title WordPress Beautiful Cookie Consent Banner <= 4.6.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:56.106Z

Reserved: 2025-06-11T16:06:05.694Z

Link: CVE-2025-49866

cve-icon Vulnrichment

Updated: 2025-07-07T14:40:49.610Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:31.837

Modified: 2026-06-17T09:32:02.937

Link: CVE-2025-49866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')