CVE-2025-49390 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the christophrado Cookie Notice & Consent plugin, which is used to manage cookie consent banners on websites. The vulnerability exists due to improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored and later executed in the browsers of users visiting affected sites. This flaw affects all versions up to and including 1.6.4. The attack vector is remote (network), with low attack complexity, but requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R), such as tricking a user into clicking a crafted link or interacting with malicious content. The vulnerability impacts the confidentiality and integrity of data by enabling attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions on behalf of the user. Availability is not impacted. The vulnerability has a CVSS v3.1 base score of 5.4, categorized as medium severity. No public exploits or active exploitation have been reported to date. The vulnerability was reserved in June 2025 and published in November 2025. The plugin is commonly used in WordPress environments, which are prevalent across many European organizations, especially in sectors relying on web presence and compliance with cookie consent regulations.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user data collected or processed via websites using the affected plugin. Exploitation could lead to session hijacking, unauthorized access to user accounts, theft of personal data, or manipulation of user interactions on affected websites. Given the widespread use of cookie consent plugins to comply with GDPR and ePrivacy Directive requirements, many European websites may be using this plugin or similar ones, increasing the potential attack surface. The impact is heightened in sectors with sensitive user data such as e-commerce, finance, healthcare, and public services. Although no availability impact is noted, reputational damage and regulatory penalties could result from successful exploitation. The requirement for some privilege and user interaction reduces the likelihood of mass exploitation but targeted attacks remain a concern.

1. Monitor for and apply security updates or patches from the vendor as soon as they become available to address this vulnerability. 2. If patches are not yet available, consider temporarily disabling or replacing the plugin with a secure alternative. 3. Implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, including XSS. 6. Educate users and administrators about the risks of clicking unknown links or interacting with suspicious content to reduce successful exploitation via social engineering. 7. Review and harden user privilege assignments to minimize the ability of attackers to inject malicious input. 8. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting known vulnerable plugins.