This vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject and store malicious scripts in the WordPress plugin’s content. The flaw is a classic stored XSS that can execute code in the context of any visitor to the affected site, compromising confidentiality, integrity, and availability of the user session. The CVSS score of 5.9 indicates moderate severity, and the attack does not involve remote code execution or privilege escalation but can be used to deface, steal credentials, or modify the site’s appearance. The flaw exists in all releases of Humanityco Cookie Notice & Compliance for GDPR / CCPA up to and including 2.5.8.

WordPress sites that use the Humanityco Cookie Notice & Compliance for GDPR / CCPA plugin, version 2.5.8 or earlier. The plugin is a WordPress add‑on that manages cookie banners and compliance notices, allowing site administrators to configure privacy settings.

The EPSS score is less than 1 %, indicating that widespread exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. An attacker could gain access to the plugin’s administration interface, insert malicious JavaScript into a field that is stored and rendered on every page, and cause that script to run in the browsers of all site visitors. Because the flaw is a stored XSS, it does not require the target user to click a link; the payload is automatically executed when page content is served.