The vulnerability is an improper neutralization of input during web page generation, resulting in a stored cross‑site scripting flaw. The flaw allows malicious JavaScript to be persisted in the plugin’s configuration and then executed whenever a site visitor loads the page. The impact can lead to session hijacking, defacement, or arbitrary script execution in the context of visiting users. Based on the description, it is inferred that an attacker could hijack users’ sessions or modify the site’s appearance.

The affected product is the WordPress plugin named GDPR Info: Cookie Notice & Consent Banner for GDPR & CCPA Compliance. All releases up to and including version 1.7.11 are vulnerable, with no earlier safe version identified. Any WordPress site that has installed or enabled this plugin and is running version 1.7.11 or earlier may be compromised.

The CVSS score of 6.5 places the flaw in the medium severity range. The EPSS score of less than 1 % indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely be achieved by injecting malicious script payloads into stored configuration fields exposed through the plugin’s administrative interface; an attacker with permissions to edit these settings could affect all visitors to the site. The default privilege level required is unclear from the CVE data, but typical stored‑XSS vulnerabilities in WordPress plugins can be reached by users with administrative or editor access, and based on the description it is inferred that such access would also be sufficient here.