WordPress Plugin Vulnerabilities

Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent < 4.0.8 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Description

The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID.

Affects Plugins

Plugin icon
gdpr-cookie-consent
Fixed in 4.0.8

References

CVE
CVE-2025-14061
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/866b4ca8-563f-4a19-bbf7-79a79f07d53d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
5bac9b92-4172-44ad-a126-77389b84eca5

Timeline

Publicly Published
2025-12-16 (about 3 months ago)
Added
2025-12-16 (about 3 months ago)
Last Updated
2025-12-17 (about 3 months ago)

Other

Published
Title
Published
2022-01-12
Title
Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS
Published
2024-12-02
Title
Simple User Registration < 6.0 - Missing Authorization to User Deletion
Published
2024-03-21
Title
AI Post Generator < 3.4 - Subscriber+ Posts Read/Creation/Deletion
Published
2025-05-16
Title
Element Pack Pro < 8.0.0 - Missing Authorization
Published
2025-06-04
Title
InWave Jobs <= 3.5.8 - Missing Authorization