Search criteria
2 vulnerabilities found for Cookie Banner for GDPR / CCPA – WPLP Cookie Consent by wplegalpages
CVE-2025-11754 (GCVE-0-2025-11754)
Vulnerability from nvd – Published: 2026-02-19 03:25 – Updated: 2026-02-19 17:43
VLAI?
Title
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure
Summary
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wplegalpages | Cookie Banner for GDPR / CCPA – WPLP Cookie Consent |
Affected:
* , ≤ 4.1.2
(semver)
|
Credits
Rafshanzani Suhada
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:23:18.756031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:43:06.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent",
"vendor": "wplegalpages",
"versions": [
{
"lessThanOrEqual": "4.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027gdpr/v1/settings\u0027 REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T03:25:13.376Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3443083"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T14:54:28.000Z",
"value": "Disclosed"
}
],
"title": "Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) : WP Cookie Consent \u003c= 4.1.2 - Missing Authorization to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11754",
"datePublished": "2026-02-19T03:25:13.376Z",
"dateReserved": "2025-10-14T17:51:56.180Z",
"dateUpdated": "2026-02-19T17:43:06.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11754 (GCVE-0-2025-11754)
Vulnerability from cvelistv5 – Published: 2026-02-19 03:25 – Updated: 2026-02-19 17:43
VLAI?
Title
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure
Summary
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wplegalpages | Cookie Banner for GDPR / CCPA – WPLP Cookie Consent |
Affected:
* , ≤ 4.1.2
(semver)
|
Credits
Rafshanzani Suhada
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:23:18.756031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:43:06.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent",
"vendor": "wplegalpages",
"versions": [
{
"lessThanOrEqual": "4.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027gdpr/v1/settings\u0027 REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T03:25:13.376Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3443083"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T14:54:28.000Z",
"value": "Disclosed"
}
],
"title": "Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) : WP Cookie Consent \u003c= 4.1.2 - Missing Authorization to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11754",
"datePublished": "2026-02-19T03:25:13.376Z",
"dateReserved": "2025-10-14T17:51:56.180Z",
"dateUpdated": "2026-02-19T17:43:06.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}