Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent < 4.1.3 – Missing Authorization to Sensitive Information Exposure | CVE 2025-11754 | Plugin Vulnerabilities

Description

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.

Affects Plugins

gdpr-cookie-consent

Fixed in 4.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

c150bd54-4db7-4567-8651-ab0635c93770

Timeline

Publicly Published

2026-02-18 (about 2 months ago)

Added

2026-02-18 (about 2 months ago)

Last Updated

2026-02-19 (about 2 months ago)

Other

Published

Title

Published

2025-12-31

Title

Wawp < 4.5 - Missing Authorization

Published

2024-09-24

Title

Easy Mega Menu Plugin for WordPress – ThemeHunk < 1.1.0 - Missing Authorization to Authenticated (Subscriber+) Settings Updates

Published

2026-04-16

Title

Tutor LMS < 3.9.9 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order

Published

2024-01-30

Title

BizPrint < 4.5.4 - Unauthenticated WC Order Data Access

Published

2022-11-21

Title

Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion