What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tox82 cookieBAR cookiebar allows Stored XSS.This issue affects cookieBAR: from n/a through <= 1.7.0.
CVE-2025-43834
MEDIUM
CVE-2025-43834: WordPress cookieBAR plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability
CVSS base score
5.9/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Explanation of Vulnerability in Simple Terms
02Summary
cookieBAR versions 1.7.0 and earlier contain a cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts. The vulnerability requires user interaction—typically clicking a malicious link—and can affect other users on the site. An attacker with high-level privileges can craft payloads that execute in victims' browsers, potentially compromising user sessions or data.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that executes in other users' browsers when they interact with the site.
Potential impact on your site
04Site Impact
Administrators with malicious intent can compromise user accounts, steal session tokens, or deface site content.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access and the victim must click a link or visit a page containing the payload.
Key dates
06Disclosure timeline
May 19, 2025
CVE published
May 12, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-38521 Persistent Cross-Site Scripting (XSS) in hushline inbox
CVE-2024-43738 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
CVE-2025-49863 WordPress Advanced Sermons plugin <= 3.6 - Cross Site Scripting (XSS) Vulnerability
CVE-2022-25979
CVE-2024-22357 IBM Sterling B2B Integrator cross-site scripting
