Platform
wordpress
Component
wp-gdpr-cookie-consent
Fixed in
1.0.1
CVE-2025-53316 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP GDPR Cookie Consent plugin. This vulnerability can be exploited to trigger Stored XSS attacks, potentially allowing an attacker to inject malicious scripts into user profiles or other sensitive areas. The vulnerability impacts versions 1.0.0 and earlier, and a patch is available in version 1.0.1.
The primary impact of CVE-2025-53316 is the potential for Stored Cross-Site Scripting (XSS). An attacker could craft a malicious request that, when triggered by a legitimate user, executes arbitrary JavaScript code within the context of the user's browser. This could lead to account takeover, data theft (including cookies and session tokens), defacement of the website, or redirection to phishing sites. The CSRF aspect means the attacker doesn't need to trick the user into clicking a link; simply visiting a malicious page could trigger the attack if the user is authenticated.
CVE-2025-53316 was publicly disclosed on 2025-11-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the CSRF/XSS combination is a well-understood attack pattern. It is not currently listed on the CISA KEV catalog. The severity is considered HIGH due to the potential for stored XSS, which can have a significant impact on website security and user data.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the WP GDPR Cookie Consent plugin to version 1.0.1 or later. If upgrading is not immediately feasible, implement temporary workarounds. These include configuring a Web Application Firewall (WAF) to block requests with suspicious CSRF tokens. Additionally, ensure strict input validation and output encoding are implemented throughout the plugin to prevent XSS payloads from being stored. Regularly review and audit the plugin's code for potential vulnerabilities. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the request is blocked or handled safely.
Update the WP GDPR Cookie Consent plugin to the latest available version to mitigate the Cross-Site Request Forgery (CSRF) vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Implement additional security measures, such as input validation and output encoding, to protect against future CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53316 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP GDPR Cookie Consent plugin that allows for Stored XSS attacks, potentially compromising user data and website security.
You are affected if you are using WP GDPR Cookie Consent version 1.0.0 or earlier. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade the WP GDPR Cookie Consent plugin to version 1.0.1 or later. Implement WAF rules as a temporary workaround if upgrading is not immediately possible.
While no active exploitation has been confirmed, the CSRF/XSS combination is a well-known attack pattern, and exploitation is possible.
Refer to the official WP GDPR Cookie Consent plugin documentation and website for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.