Plattform
wordpress
Komponente
wp-gdpr-cookie-consent
Behoben in
1.0.1
CVE-2025-53316 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP GDPR Cookie Consent plugin. This vulnerability can be exploited to trigger Stored XSS attacks, potentially allowing an attacker to inject malicious scripts into user profiles or other sensitive areas. The vulnerability impacts versions 1.0.0 and earlier, and a patch is available in version 1.0.1.
The primary impact of CVE-2025-53316 is the potential for Stored Cross-Site Scripting (XSS). A successful attacker can leverage the CSRF vulnerability to craft malicious requests that, when executed by a user with sufficient privileges (e.g., an administrator), will store arbitrary JavaScript code within the plugin's configuration. This stored script can then be triggered when other users interact with the plugin, leading to the execution of malicious code in their browsers. This could result in session hijacking, defacement of the website, or the theft of sensitive user data. The stored nature of the XSS makes it particularly persistent and difficult to detect.
CVE-2025-53316 was publicly disclosed on 2025-11-06. No public proof-of-concept (POC) code has been released at the time of writing, but the CSRF-to-XSS chain is a well-understood attack pattern. The vulnerability is not currently listed on the CISA KEV catalog. The potential for stored XSS elevates the risk, as it can persist even after the initial attack vector is closed.
Websites using the WP GDPR Cookie Consent plugin, particularly those running older versions (1.0.0 and earlier), are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a vulnerability in one site could potentially impact others. Sites relying on the plugin for GDPR compliance are especially vulnerable, as a successful attack could compromise user data and violate privacy regulations.
• wordpress / composer / npm:
grep -r "wp_gdpr_cookie_consent" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep wp-gdpr-cookie-consent• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-gdpr-cookie-consent/ | grep -i '1.0.0'disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-53316 is to immediately upgrade the WP GDPR Cookie Consent plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests with suspicious CSRF tokens. Additionally, ensure that all user input to the plugin is properly validated and sanitized to prevent the injection of malicious code. Regularly review plugin configurations for any unusual or unauthorized changes. After upgrade, confirm the fix by attempting a CSRF attack on plugin settings and verifying that the attack is blocked.
Actualice el plugin WP GDPR Cookie Consent a la última versión disponible para mitigar la vulnerabilidad de Cross-Site Request Forgery (CSRF). Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Implemente medidas de seguridad adicionales, como la validación de entrada y la codificación de salida, para proteger contra futuros ataques CSRF.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-53316 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP GDPR Cookie Consent plugin that allows for Stored XSS attacks, potentially compromising user data and website security.
You are affected if you are using WP GDPR Cookie Consent version 1.0.0 or earlier. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade the WP GDPR Cookie Consent plugin to version 1.0.1 or later. Implement WAF rules as a temporary workaround if upgrading is not immediately possible.
While no active exploitation has been confirmed, the CSRF/XSS combination is a well-known attack pattern, and exploitation is possible.
Refer to the official WP GDPR Cookie Consent plugin documentation and website for the latest advisory and security updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.