CVE-2025-4955 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the tarteaucitron.io WordPress plugin versions prior to 1.9.5. This plugin is commonly used to manage cookie consent and privacy compliance on websites. The vulnerability arises because the plugin improperly sanitizes query parameters originating from YouTube oEmbed URLs. Specifically, when users with contributor-level permissions or higher embed YouTube content via oEmbed URLs, malicious script code can be injected through these query parameters. Since the plugin fails to correctly sanitize or encode these inputs, the malicious payload is stored persistently within the WordPress site’s database or content. When other users or administrators access the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires an attacker to have at least contributor-level access, which is a relatively low privilege level in WordPress, making exploitation feasible in environments where multiple users contribute content. No public exploits have been reported yet, and no official patch links are provided at the time of publication. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation, leading to XSS attacks. The lack of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity by standard scoring systems.

For European organizations, this vulnerability poses a significant risk primarily to websites using the tarteaucitron.io plugin for cookie consent management, especially those running WordPress with multiple contributors. Exploitation could lead to persistent XSS attacks that compromise the confidentiality and integrity of user sessions, potentially allowing attackers to steal authentication cookies, perform actions on behalf of legitimate users, or inject malicious content that damages the organization's reputation. Given the GDPR and other stringent privacy regulations in Europe, a successful attack could also result in regulatory penalties if personal data is compromised. Additionally, since the plugin is related to privacy compliance, an attack undermining its integrity could erode user trust and lead to legal and financial consequences. The requirement for contributor-level access reduces the attack surface but does not eliminate it, as many organizations allow multiple users to contribute content. The stored nature of the XSS increases the risk because the malicious payload persists and affects all visitors or administrators viewing the infected content. The absence of known exploits suggests the threat is currently theoretical but should be addressed proactively to prevent future exploitation.

European organizations should immediately audit their WordPress installations to identify the use of the tarteaucitron.io plugin and verify the version in use. Upgrading to version 1.9.5 or later, once available, is the primary mitigation step. Until a patch is released, organizations should restrict contributor-level permissions to trusted users only and implement strict content review workflows to detect and prevent malicious content submissions. Additionally, applying Web Application Firewall (WAF) rules that filter or sanitize suspicious query parameters in YouTube oEmbed URLs can help mitigate exploitation attempts. Employing Content Security Policy (CSP) headers to restrict script execution sources can reduce the impact of XSS payloads. Regularly scanning the website for stored XSS payloads using automated security tools and manual code reviews is recommended. Organizations should also educate contributors about safe content practices and monitor logs for unusual activities related to content submissions. Finally, isolating administrative interfaces and enforcing multi-factor authentication (MFA) for higher privilege accounts will limit the potential damage if an account is compromised.