CVE-2025-1485: 
WordPress vulnerability analysis and mitigation

The Real Cookie Banner WordPress plugin versions before 5.1.6 (including both real-cookie-banner and real-cookie-banner-pro variants) contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered on May 12, 2025, and was assigned CVE-2025-1485 (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow authenticated administrators to inject and execute malicious JavaScript code in the context of other users' browsers who access the affected pages. This could potentially lead to unauthorized actions, data theft, or manipulation of the website's content (WPScan).

The vulnerability has been patched in version 5.1.6 of both real-cookie-banner and real-cookie-banner-pro plugins. Users are strongly advised to update their installations to this version or later to mitigate the security risk (WPScan).