CVE-2025-63019 MEDIUM

CVE-2025-63019: WordPress Cookies and Content Security Policy plugin <= 2.34 - Sensitive Data Exposure vulnerability

Vendor Johan Jonk Stenström
Product Cookies and Content Security Policy
Weakness CWE-201
Published January 22, 2026
Last update April 28, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data.This issue affects Cookies and Content Security Policy: from n/a through <= 2.34.

Explanation of Vulnerability in Simple Terms

02Summary

Cookies and Content Security Policy versions 2.34 and earlier expose sensitive information through improper handling of cookie data. An attacker on the network can read limited confidential information without authentication or user interaction. The vulnerability affects how the product manages cookies in relation to CSP headers, potentially leaking data to unauthorized parties.

What an attacker can do

03Attacker Capabilities

Read sensitive cookie or CSP-related data transmitted over the network without authentication.

Potential impact on your site

04Site Impact

Visitor or user data in cookies may be exposed to network-level attackers; CSP bypass or cookie leakage possible.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 22, 2026 CVE published
April 28, 2026 Record updated