CVE-2025-71310 Overview
CVE-2025-71310 is a stored Cross-Site Scripting (XSS) vulnerability in the GDPR Cookies module for Backdrop CMS before version 1.x-1.3.5. The flaw exists in the optional Info content field associated with the YouTube service configuration. A user with elevated permissions can inject malicious script content that executes in the browsers of site visitors. The Backdrop CMS security team published advisory sa-contrib-2025-013 describing the issue, which is tracked under [CWE-80] (Improper Neutralization of Script-Related HTML Tags).
Critical Impact
Authenticated attackers with GDPR Cookies service management permissions can inject persistent JavaScript that executes against site visitors viewing the YouTube cookie consent interface.
Affected Products
- Backdrop CMS GDPR Cookies module versions prior to 1.x-1.3.5
- Sites that have configured a YouTube service within the GDPR Cookies module
- Backdrop CMS deployments granting Create a GDPR Cookies Service or Edit any GDPR Cookies Service permissions to non-administrative roles
Discovery Timeline
- 2026-05-26 - CVE-2025-71310 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2025-71310
Vulnerability Analysis
The GDPR Cookies module provides cookie consent management for Backdrop CMS, including pre-configured services such as YouTube. When an administrator configures the YouTube service, the module exposes an optional Info content field intended to explain the service to visitors. The module renders this field without sufficient output encoding, allowing HTML and JavaScript supplied through it to execute in visitor browsers.
The vulnerability requires the attacker to hold a role with the Create a GDPR Cookies Service or Edit any GDPR Cookies Service permission. The target site must also have an active YouTube service configuration where the malicious content renders. Exploitation produces stored XSS that fires whenever a visitor encounters the cookie consent surface containing the YouTube service description.
Root Cause
The root cause is missing or insufficient HTML neutralization of user-supplied input on the Info content field. Backdrop's text filtering or escaping APIs were not applied to this field before rendering, leaving raw markup in the output stream. This maps to [CWE-80], where script-related HTML tags pass through to the browser unescaped.
Attack Vector
An attacker authenticated with the required permission edits or creates the YouTube GDPR Cookies service and submits a payload in the Info content field. The payload is stored in the module configuration. When a visitor loads any page that renders the YouTube consent block, the browser parses the injected markup and executes attacker-controlled JavaScript. The script runs in the visitor's session context and can perform actions such as session token theft, redirection, or DOM manipulation.
No verified public proof-of-concept code is available. See the Backdrop CMS Security Advisory for vendor technical details.
Detection Methods for CVE-2025-71310
Indicators of Compromise
- Unexpected <script>, <img onerror=...>, or event-handler markup stored in the GDPR Cookies YouTube service Info content field
- Outbound requests from visitor browsers to unfamiliar domains after the cookie consent banner renders
- Audit log entries showing edits to GDPR Cookies service configuration by non-administrative roles
Detection Strategies
- Inspect the GDPR Cookies module configuration export for HTML tags or JavaScript content within YouTube service description fields
- Review Backdrop CMS watchdog and database logs for changes to GDPR Cookies service entries
- Run web content security scanners against pages that render the cookie consent interface to flag reflected or stored script payloads
Monitoring Recommendations
- Monitor role assignments granting Create a GDPR Cookies Service or Edit any GDPR Cookies Service and restrict them to trusted administrators
- Enable Content Security Policy (CSP) headers with strict script-src directives to limit execution of inline or third-party scripts
- Alert on configuration changes to contributed modules via file integrity monitoring or Backdrop's configuration management workflow
How to Mitigate CVE-2025-71310
Immediate Actions Required
- Upgrade the GDPR Cookies module to version 1.x-1.3.5 or later
- Audit existing YouTube service configurations for unexpected markup in the Info content field and sanitize any suspicious entries
- Review which roles hold the Create a GDPR Cookies Service or Edit any GDPR Cookies Service permissions and revoke from non-trusted roles
Patch Information
The Backdrop CMS maintainers released a fix in GDPR Cookies module version 1.x-1.3.5. Refer to the Backdrop CMS Security Advisory sa-contrib-2025-013 for the official update guidance and download instructions.
Workarounds
- Temporarily remove the YouTube service from the GDPR Cookies configuration until the module is updated
- Restrict the GDPR Cookies service management permissions to administrative roles only
- Deploy a Content Security Policy that blocks inline script execution to reduce exploit impact
# Configuration example: restrict GDPR Cookies permissions via drush-equivalent for Backdrop
backdrop config-set gdpr_cookies.settings allowed_roles administrator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

