CVE-2025-58607: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Cookie Notice & Consent Banner for GDPR & CCPA Compliance WordPress plugin, identified as CVE-2025-58607. The vulnerability affects versions up to and including 1.7.11, and was disclosed on September 3, 2025. The security issue was initially reported by researcher 'zaim' on July 28, 2025, and was subsequently published by Patchstack (Patchstack Report).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security flaw stems from insufficient input sanitization and output escaping in the plugin's code (Rapid7 Analysis).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. When executed, these scripts can potentially lead to unauthorized redirects, malicious advertisement insertions, and other HTML payload executions when visitors access the affected pages (Patchstack Report).

The vulnerability has been patched in version 1.7.12 of the plugin. Website administrators are advised to update to version 1.7.12 or later to remediate the security issue. For users unable to update immediately, it is recommended to restrict access to contributor-level accounts and monitor for suspicious activities (Patchstack Report).