Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics < 4.4.2 – Missing Authorization to Authenticated (Subscriber+) Survey Submission | CVE 2025-1666 | Plugin Vulnerabilities

Description

The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website.

Affects Plugins

Fixed in 4.4.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d2e5fca6-363c-4875-9eb8-44e080d99650

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

32306d55-7065-433e-9ad1-d00d56e326cc

Timeline

Publicly Published

2025-03-05 (about 1 year ago)

Added

2025-03-11 (about 1 year ago)

Last Updated

2025-03-11 (about 1 year ago)

Other

Published

Title

Published

2022-08-06

Title

ActiveDEMAND plugin < 0.2.28 - Unauthenticated Post Creation/Update/Deletion

Published

2025-03-24

Title

Music Press Pro <= 1.4.6 - Missing Authorization

Published

2021-09-27

Title

WP Debugging < 2.11.0 - Unauthenticated Plugin's Settings Update

Published

2026-03-01

Title

Popup Like box < 3.7.8 - Missing Authorization

Published

2025-03-13

Title

Search and filter pro < 2.5.20 - Missing Authorization to Authenticated (Subscriber+) Post Meta Exposure