CVE-2025-11754

Description

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

wplegalpages / Cookie Banner for GDPR / CCPA – WPLP Cookie Consent0 – 4.1.2

References

MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve
MISChttps://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77
MISChttps://plugins.trac.wordpress.org/changeset/3443083