CVE Alert: CVE-2025-10496 – christophrado – Cookie Notice & Consent

Risk verdict

High risk due to unauthenticated, network-exposed stored XSS in a widely used WordPress plugin; exploitation is possible without user interaction.

Why this matters

Attacker-controlled scripts can be executed in visitors’ browsers, enabling cookie theft or page defacement and potentially compromising admin or user sessions. With no authentication required, any site using the vulnerable plugin is at risk, threatening data integrity, user trust, and brand reputation.

Most likely attack path

An attacker targets pages that render the vulnerable uuid parameter, delivering injected scripts to any visitor. Exploitation requires no user action and leverages network access with low complexity; scope may extend beyond the immediate page to other components or admin sessions when trusted users visit compromised pages.

Who is most exposed

Self-hosted WordPress sites running the affected plugin (especially older instances not updated beyond 1.6.5) are most at risk, including sites with lax input sanitisation or weak patch management.

Detection ideas

• Look for anomalous uuid parameter values in web requests and responses containing script tags.
• Track output that escapes in HTML where it should be neutralised.
• Monitor browser console or WAF alerts for stored XSS patterns tied to this plugin.
• Correlate traffic spikes or unusual page modifications after plugin activity.
• Inspect admin pages for unexpected script injections.

Mitigation and prioritisation

• Update to the latest plugin version or disable the plugin until patched.
• Apply input sanitisation and output escaping at server level; implement a filter on the uuid parameter.
• Validate WordPress core and all plugins; perform regression tests in a staging environment.
• Implement a temporary WAF rule to block common XSS payloads targeting this vector.
• If KEV is true or EPSS ≥ 0.5, treat as priority 1; otherwise prioritise patching within the next maintenance window.