CVE-2025-2205: 
WordPress vulnerability analysis and mitigation

The GDPR Cookie Compliance plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-2205) affecting all versions up to and including 4.15.6. The vulnerability was discovered on February 23, 2025, and affects the plugin's admin settings functionality (Wordfence, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's Cookie Banner Content field under Advanced settings. This allows authenticated users with administrator-level permissions to inject arbitrary web scripts that execute when users access the affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The issue specifically affects multi-site installations and installations where unfiltered_html has been disabled (NVD, CleanTalk).

When exploited, the vulnerability allows attackers to inject malicious web scripts that execute whenever a user accesses an injected page. This could lead to session hijacking, account takeover, or the creation of backdoor admin accounts. The impact is particularly significant given that the plugin has over 300,000 active installations (CleanTalk).

Website administrators should update to version 4.15.7 or later of the GDPR Cookie Compliance plugin, which contains the fix for this vulnerability. For those unable to update immediately, it's recommended to restrict access to the plugin's settings and ensure the unfiltered_html capability is properly configured, especially in multisite installations (CleanTalk).