CVE-2025-46525 MEDIUM

CVE-2025-46525: WordPress WP Cookie Consent plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Vendor Msmitley
Product WP Cookie Consent
Weakness CWE-79 · XSS
Published April 24, 2025
Last update April 28, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in msmitley WP Cookie Consent wp-cookie-consent allows Stored XSS.This issue affects WP Cookie Consent: from n/a through <= 1.0.

Explanation of Vulnerability in Simple Terms

02Summary

WP Cookie Consent versions 1.0 and earlier contain a cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts. The vulnerability requires an admin to visit a crafted page or link. Successful exploitation can compromise site integrity and expose visitor data.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs on the site and affects visitors or other admins.

Potential impact on your site

04Site Impact

An admin account could be used to inject malicious code affecting your site's functionality and visitor trust.

Conditions required to exploit

05Prerequisites

Attacker must have administrator access and trick an admin into visiting a malicious link or page.

Key dates

06Disclosure timeline

April 24, 2025 CVE published
April 28, 2026 Record updated