CVE-2025-1619: 
WordPress vulnerability analysis and mitigation

The GDPR Cookie Compliance WordPress plugin before version 4.15.7 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-1619. The vulnerability was discovered and reported by Dmitrii Ignatyev, and it affects the plugin's settings functionality. The issue stems from improper sanitization and escaping of certain settings fields, which could be exploited even when the unfiltered_html capability is disabled (WPScan).

The vulnerability exists due to insufficient sanitization and escaping of settings fields in the GDPR Cookie Compliance plugin. The issue specifically affects the Cookie Settings Screen, where certain checkbox labels can accept and store malicious JavaScript code. The CVSS 3.1 score for this vulnerability is 4.8 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly concerning in multisite setups where the unfiltered_html capability is typically disabled as a security measure. The stored XSS payload can be triggered when any user accesses frontend pages and interacts with the cookie banner settings (WPScan).

The vulnerability has been patched in version 4.15.7 of the GDPR Cookie Compliance plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).