A high-severity vulnerability has been identified in the Cookie Notice & Consent plugin for WordPress, which could allow an attacker to inject malicious code into a website. This attack, known as Stored Cross-Site Scripting (XSS), could lead to the theft of sensitive user information, account takeover, or website defacement. Organizations using this plugin are at risk of data breaches and reputational damage if the vulnerability is exploited.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the Cookie Notice & Consent plugin. An unauthenticated attacker can inject a malicious script into the uuid parameter. This malicious script is then stored on the web server's database and is executed in the browser of any user who views the compromised page, including administrators, leading to potential session hijacking, data theft, or unauthorized actions performed on behalf of the user.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant business impact, including the compromise of administrator accounts, which would grant an attacker full control over the affected WordPress site. This could lead to website defacement, theft of customer data stored on the site, distribution of malware to visitors, and substantial reputational damage that erodes customer trust.

Immediate Action: Immediately update the Cookie Notice & Consent plugin to the latest available version that patches this vulnerability. If the plugin is no longer required for business operations, it should be deactivated and removed completely from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for unusual requests containing script tags or encoded characters within the uuid parameter. Implement file integrity monitoring to detect unauthorized changes to plugin files. Regularly review the database tables associated with the plugin for any stored malicious scripts.

Compensating Controls: If patching is not immediately possible, deploy a Web Application Firewall (WAF) with rules designed to detect and block common XSS attack patterns. Implement a stringent Content Security Policy (CSP) to restrict the sources from which scripts can be loaded, thereby mitigating the impact of a successful injection.

Public Exploit Available: false

Given the high severity of this vulnerability (CVSS 7.2) and the widespread use of WordPress, we strongly recommend that organizations apply the vendor-supplied patch for the Cookie Notice & Consent plugin immediately. Although this CVE is not currently listed on the CISA KEV catalog, its potential for administrative account takeover presents a critical risk. Prioritize patching on all internet-facing WordPress sites to prevent potential compromise.