CVE-2025-24547 identifies a stored cross-site scripting (XSS) vulnerability in the matthias.wagner Caching Compatible Cookie Opt-In and JavaScript plugin, which is used to manage cookie consent in web applications. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored and later executed in the context of users visiting the affected site. This stored XSS can be exploited by attackers to execute arbitrary scripts, leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The affected versions include all releases up to and including 0.0.10. No CVSS score has been assigned yet, and no patches or known exploits are currently reported. The vulnerability does not require authentication or user interaction beyond visiting a compromised page, increasing its risk profile. The plugin’s role in cookie consent management means it is widely used in websites that must comply with privacy regulations, thus increasing the potential attack surface. The lack of proper input sanitization and output encoding in the plugin’s codebase is the root cause, making it imperative for developers and administrators to apply secure coding practices and deploy mitigations promptly.

The stored XSS vulnerability in this plugin can have severe consequences for organizations worldwide. Attackers can leverage this flaw to steal sensitive user information such as session cookies, enabling account takeover and unauthorized access. It can also facilitate phishing attacks by injecting deceptive content or redirecting users to malicious websites. For organizations, this can result in reputational damage, loss of customer trust, regulatory penalties (especially under privacy laws like GDPR), and potential financial losses. Since the plugin is used in cookie consent management, which is a critical component for compliance with privacy regulations, exploitation could also undermine legal compliance efforts. The vulnerability’s ease of exploitation and the persistence of injected scripts increase the risk of widespread impact across multiple users and sessions. Additionally, automated exploitation could be used to compromise large numbers of websites using this plugin, amplifying the threat.

Organizations should monitor the vendor’s communications for official patches and apply them immediately once available. In the absence of a patch, administrators should consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding standards. Implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct regular security audits and penetration testing focused on web application input handling. Educate developers on secure coding practices, particularly regarding cross-site scripting prevention. Additionally, implement web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. Finally, maintain up-to-date backups and incident response plans to quickly recover from any successful exploitation.