CVE-2025-23501

CVE-2025-23501 is a Cross-Site Request Forgery (CSRF) vulnerability in the SpruceJoy Cookie Consent & Autoblock for GDPR/CCPA WordPress plugin (cookie-consent-autoblock). The flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions up to and including 1.0.1. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

Unauthenticated attackers can exploit this over the network with low attack complexity, though it requires user interaction. By tricking a site administrator or other privileged user into visiting a malicious webpage, an attacker can forge a request to perform an administrative action that injects and stores a malicious XSS payload. The stored script then executes in the context of the site's scope for subsequent visitors, enabling limited impacts such as low confidentiality, integrity, and availability violations, including potential session hijacking or data theft.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/cookie-consent-autoblock/vulnerability/wordpress-cookie-consent-autoblock-for-gdpr-ccpa-plugin-1-0-1-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve, provide further details on the vulnerability. Security practitioners should review these for recommended mitigations, such as updating the plugin or implementing CSRF protections.