Description
Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel WP GDPR Cookie Consent wp-gdpr-cookie-consent allows Stored XSS.This issue affects WP GDPR Cookie Consent: from n/a through <= 1.0.0.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress WP GDPR Cookie Consent plugin contains a CSRF flaw that an attacker can use to submit malicious requests while a user is authenticated. The vulnerability can be leveraged to store a cross‑site scripting payload within the plugin, which would then execute in the context of any visitor to the site. This leads to potential data theft, session hijacking or defacement if the payload is crafted to exploit additional weaknesses.

Affected Systems

All installations of the Shahjahan Jewel WP GDPR Cookie Consent plugin up to and including version 1.0.0 are vulnerable. The plugin is distributed as a standard WordPress extension and is used on any WordPress site that has installed it.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered medium‑high. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and it is not listed in the CISA KEV catalog. The likely attack path requires the victim to be logged into the WordPress admin area; an attacker would trick the user into clicking a crafted link or visiting a malicious site that sends a forged request carrying the XSS payload. Once injected, the stored script can run in the context of any site visitor, potentially compromising site integrity and confidentiality.

Generated by OpenCVE AI on April 30, 2026 at 05:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP GDPR Cookie Consent plugin to the latest version (any release after 1.0.0).
  • If an update is not available, temporarily disable or uninstall the plugin to eliminate the attack surface.
  • As a last resort, manually sanitize or remove any stored XSS payloads from the plugin data tables and review user permissions to limit the risk of further injection.

Generated by OpenCVE AI on April 30, 2026 at 05:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Shahjahan Jewel
Shahjahan Jewel wp Gdpr Cookie Consent
Wordpress
Wordpress wordpress
Vendors & Products Shahjahan Jewel
Shahjahan Jewel wp Gdpr Cookie Consent
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel WP GDPR Cookie Consent wp-gdpr-cookie-consent allows Stored XSS.This issue affects WP GDPR Cookie Consent: from n/a through <= 1.0.0.
Title WordPress WP GDPR Cookie Consent plugin <= 1.0.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References

Subscriptions

Shahjahan Jewel Wp Gdpr Cookie Consent
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.568Z

Reserved: 2025-06-27T11:59:14.509Z

Link: CVE-2025-53316

cve-icon Vulnrichment

Updated: 2025-11-10T19:28:26.914Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:56.483

Modified: 2026-04-27T18:16:21.440

Link: CVE-2025-53316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses