Stored Cross-site Scripting Vulnerability in Humanityco Cookie Notice for GDPR Compliance
CVE-2025-67554

5.9MEDIUM

Key Information:

Vendor

WordPress
Status
Cookie Notice & Compliance For Gdpr / Ccpa
Vendor
CVE Published:
9 December 2025

What is CVE-2025-67554?

A stored Cross-site Scripting (XSS) vulnerability exists in the Humanityco Cookie Notice & Compliance for GDPR / CCPA plugin. This flaw stems from the improper neutralization of user input during web page generation, allowing attackers to inject malicious scripts that could be executed in the context of the user’s browser. The vulnerability affects versions of the plugin up to and including 2.5.8, posing risks to web application security and user data integrity.

Affected Version(s)

Cookie Notice & Compliance for GDPR / CCPA 0 <= 2.5.8

References

https://patchstack.com/database/Wordpress/Plugin/cookie-n...
vdb-entry

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Thaleikis | Patchstack Bug Bounty Program
.