WordPress WP GDPR Cookie Consent plugin <= 1.0.0 - Cross Site Request Forgery (CSRF) Vulnerability
wird übersetzt…Plattform
wordpress
Komponente
wp-gdpr-cookie-consent
Behoben in
1.0.1
CVE-2025-53316 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP GDPR Cookie Consent plugin. This vulnerability can be exploited to trigger Stored XSS attacks, potentially allowing an attacker to inject malicious scripts into user profiles or other sensitive areas. The vulnerability impacts versions 1.0.0 and earlier, and a patch is available in version 1.0.1.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The primary impact of CVE-2025-53316 is the potential for Stored Cross-Site Scripting (XSS). A successful attacker can leverage the CSRF vulnerability to craft malicious requests that, when executed by a user with sufficient privileges (e.g., an administrator), will store arbitrary JavaScript code within the plugin's configuration. This stored script can then be triggered when other users interact with the plugin, leading to the execution of malicious code in their browsers. This could result in session hijacking, defacement of the website, or the theft of sensitive user data. The stored nature of the XSS makes it particularly persistent and difficult to detect.
Ausnutzungskontext
CVE-2025-53316 was publicly disclosed on 2025-11-06. No public proof-of-concept (POC) code has been released at the time of writing, but the CSRF-to-XSS chain is a well-understood attack pattern. The vulnerability is not currently listed on the CISA KEV catalog. The potential for stored XSS elevates the risk, as it can persist even after the initial attack vector is closed.
Wer Ist Gefährdetwird übersetzt…
Websites using the WP GDPR Cookie Consent plugin, particularly those running older versions (1.0.0 and earlier), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a vulnerability in one site could potentially impact others. Sites relying on the plugin for GDPR compliance are especially vulnerable, as a successful attack could compromise user data and violate privacy regulations.
Erkennungsschrittewird übersetzt…
• wordpress / composer / npm:
grep -r "wp_gdpr_cookie_consent" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep wp-gdpr-cookie-consent• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-gdpr-cookie-consent/ | grep -i '1.0.0'Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Niedrig — partieller oder indirekter Zugriff auf einige Daten.
- Integrity
- Niedrig — Angreifer kann einige Daten mit begrenztem Umfang ändern.
- Availability
- Niedrig — partieller oder intermittierender Denial of Service.
Betroffene Software
Paketinformationen
- Aktive Installationen
- 100
- Plugin-Bewertung
- 0.0
- Erfordert WordPress
- 4.5+
- Kompatibel bis
- 4.9.29
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The recommended mitigation for CVE-2025-53316 is to immediately upgrade the WP GDPR Cookie Consent plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests with suspicious CSRF tokens. Additionally, ensure that all user input to the plugin is properly validated and sanitized to prevent the injection of malicious code. Regularly review plugin configurations for any unusual or unauthorized changes. After upgrade, confirm the fix by attempting a CSRF attack on plugin settings and verifying that the attack is blocked.
So behebenwird übersetzt…
Actualice el plugin WP GDPR Cookie Consent a la última versión disponible para mitigar la vulnerabilidad de Cross-Site Request Forgery (CSRF). Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Implemente medidas de seguridad adicionales, como la validación de entrada y la codificación de salida, para proteger contra futuros ataques CSRF.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-53316 — CSRF in WP GDPR Cookie Consent?
CVE-2025-53316 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP GDPR Cookie Consent plugin that allows for Stored XSS attacks, potentially compromising user data and website security.
Am I affected by CVE-2025-53316 in WP GDPR Cookie Consent?
You are affected if you are using WP GDPR Cookie Consent version 1.0.0 or earlier. Upgrade to version 1.0.1 to mitigate the risk.
How do I fix CVE-2025-53316 in WP GDPR Cookie Consent?
The recommended fix is to upgrade the WP GDPR Cookie Consent plugin to version 1.0.1 or later. Implement WAF rules as a temporary workaround if upgrading is not immediately possible.
Is CVE-2025-53316 being actively exploited?
While no active exploitation has been confirmed, the CSRF/XSS combination is a well-known attack pattern, and exploitation is possible.
Where can I find the official WP GDPR Cookie Consent advisory for CVE-2025-53316?
Refer to the official WP GDPR Cookie Consent plugin documentation and website for the latest advisory and security updates.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.