WordPress Plugin Vulnerabilities

GDPR/CCPA Cookie Consent Banner < 3.2.1 - Missing Authorization via handle_consent_toggle()

Description

The GDPR/CCPA Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_consent_toggle() function in versions up to, and including, 3.2. This makes it possible for unauthenticated attackers to toggle consent.

Affects Plugins

Plugin icon
uk-cookie-consent
Fixed in 3.2.1

References

CVE
CVE-2024-35692
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9f521875-6b4a-44a6-b810-c13b73891e20

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
b2e7517f-fc56-4dee-8606-6d3cd1689a7f

Timeline

Publicly Published
2024-06-06 (about 1 year ago)
Added
2024-06-12 (about 1 year ago)
Last Updated
2024-06-12 (about 1 year ago)

Other

Published
Title
Published
2026-03-20
Title
Group Chat & Video Chat by AtomChat < 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
Published
2022-01-24
Title
Catch Web Tools < 2.7.1 - Subscriber+ Arbitrary Catch IDs Activation/Deactivation
Published
2025-08-01
Title
WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons < 1.7.1 - Missing Authorization to Unauthenticated Sticky Status Update
Published
2026-02-08
Title
AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.5 - Missing Authorization
Published
2025-09-22
Title
Subresource Integrity (SRI) Manager <= 0.4.0 - Missing Authorization