GDPR Cookie Compliance < 4.15.7 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE 2025-2205 | Plugin Vulnerabilities

Description

The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

gdpr-cookie-compliance

Fixed in 4.15.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/37da32e4-48a1-4830-a47c-c454d60c9811

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

90898077-3753-4295-9fd5-d45d5b1f93f1

Timeline

Publicly Published

2025-02-23 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-03-12 (about 1 year ago)

Other

Published

Title

Published

2024-09-25

Title

WordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP Header

Published

2025-11-03

Title

MeetingList <= 0.11 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2023-02-15

Title

Nooz < 1.7.0 - Admin+ Stored XSS

Published

2024-05-02

Title

Simple Image Popup < 2.5.3 - Admin+ Stored XSS

Published

2015-05-13

Title

Indieweb Post Kinds <= 1.3.1 - DOM Cross-Site Scripting (XSS)