CVE-2025-1623: 
WordPress vulnerability analysis and mitigation

The GDPR Cookie Compliance WordPress plugin before version 4.15.9 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on February 23, 2025, and was assigned CVE-2025-1623. This security issue affects the plugin's settings functionality, particularly impacting high-privilege users such as administrators (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. This security flaw allows high-privilege users to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow authenticated administrators to store and execute malicious JavaScript code in the plugin's settings. The stored XSS payload would be triggered whenever the Integration settings page is loaded in the backend, potentially affecting other administrative users (WPScan).

The vulnerability has been patched in version 4.15.9 of the GDPR Cookie Compliance plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).