The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Wordpress |
|
| Wplegalpages |
|
No data.
No data.
References
History
Thu, 19 Feb 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wordpress
Wordpress wordpress Wplegalpages Wplegalpages cookie Banner For Gdpr / Ccpa – Wplp Cookie Consent |
|
| Vendors & Products |
Wordpress
Wordpress wordpress Wplegalpages Wplegalpages cookie Banner For Gdpr / Ccpa – Wplp Cookie Consent |
Thu, 19 Feb 2026 04:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys. | |
| Title | Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2026-02-19T03:25:13.376Z
Updated: 2026-02-19T03:25:13.376Z
Reserved: 2025-10-14T17:51:56.180Z
Link: CVE-2025-11754
Vulnrichment
No data.
NVD
No data.
Redhat
No data.