WordPress Plugin Vulnerabilities

Real Cookie Banner: GDPR & ePrivacy Cookie Consent < 5.2.5 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint

Description

The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.

Affects Plugins

Plugin icon
real-cookie-banner
Fixed in 5.2.5

References

CVE
CVE-2025-12136
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f559d7f-3faf-4549-b529-f4db03dce2dd

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
SpiderSec
Verified
No
WPVDB ID
579d8bdb-bd0f-4a6d-89d7-22c6e9f07548

Timeline

Publicly Published
2025-10-23 (about 6 months ago)
Added
2025-10-23 (about 6 months ago)
Last Updated
2025-10-24 (about 6 months ago)

Other

Published
Title
Published
2026-02-25
Title
Gift Up Gift Cards for WordPress and WooCommerce < 3.1.8 - Unauthenticated Server-Side Request Forgery
Published
2021-02-27
Title
Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)
Published
2026-02-13
Title
User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter
Published
2025-02-14
Title
Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme < 3.1.5 - Authenticated (Contributor+) Blind Server-Side Request Forgery via remote_request
Published
2023-11-06
Title
WPB Show Core <= 2.2 - Unauthenticated Server Side Request Forgery