{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11754", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T17:51:56.180Z", "datePublished": "2026-02-19T03:25:13.376Z", "dateUpdated": "2026-04-08T16:48:32.726Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:32.726Z"}, "affected": [{"vendor": "wplegalpages", "product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys."}], "title": "Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"}, {"url": "https://plugins.trac.wordpress.org/changeset/3443083"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2026-02-18T14:54:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:23:18.756031Z", "id": "CVE-2025-11754", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:43:06.008Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:23:18.756031Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:23:20.852Z"}}], "cna": {"title": "Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "wplegalpages", "product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T14:54:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"}, {"url": "https://plugins.trac.wordpress.org/changeset/3443083"}], "descriptions": [{"lang": "en", "value": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T03:25:13.376Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11754", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:43:06.008Z", "dateReserved": "2025-10-14T17:51:56.180Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T03:25:13.376Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys."}, {"lang": "es", "value": "El plugin GDPR Cookie Consent para WordPress es vulnerable al acceso no autorizado de datos debido a una falta de verificaci\u00f3n de capacidad en el endpoint de la API REST 'gdpr/v1/settings' en todas las versiones hasta la 4.1.2, inclusive. Esto hace posible que atacantes no autenticados recuperen configuraciones sensibles del plugin, incluyendo tokens de API, direcciones de correo electr\u00f3nico, IDs de cuenta y claves de sitio."}], "id": "CVE-2025-11754", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:26.777", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3443083"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent", "source": "cna", "vendor": "wplegalpages"}, "product": "cookie_banner_for_gdpr_/_ccpa_\u2013_wplp_cookie_consent", "vendor": "wplegalpages"}], "analysis": {"en": {"generated_at": "2026-04-22T12:12:19.232139+00:00", "value": {"mitigation_remediation": ["Update the WPLP Cookie Consent plugin to the latest release that includes the authentication check for the /gdpr/v1/settings endpoint. ", "If an update cannot be applied immediately, block unauthenticated requests to the /wp-json/gdpr/v1/settings endpoint using a web application firewall, .htaccess rule, or by disabling the endpoint through custom code. ", "Review the site\u2019s REST API configuration to ensure that all endpoints require proper capability checks and remove or harden any that do not."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the WPLP Cookie Consent plugin version 4.1.2 or earlier are vulnerable. The plugin, named Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent, is distributed through the WordPress plugin repository and can be installed on any standard WordPress installation.", "description_and_impact": "The GDPR Cookie Consent plugin for WordPress implements a REST API endpoint at /wp-json/gdpr/v1/settings that should be protected by a capability check. In all affected releases up to and including version 4.1.2 the plugin fails to verify that the requester has permission to access configuration settings. Consequently any user\u2014authenticated or not\u2014can retrieve the plugin\u2019s configuration, which contains API tokens, email addresses, account identifiers, and site keys. This leakage allows an attacker to compromise third\u2011party integrations and potentially gain unauthorized access to services linked to those credentials, leading to a breach of confidentiality and resources used by the site.", "risk_and_exploitability": "The CVSS score of 7.5 indicates significant severity, while the EPSS score of less than 1% suggests that widespread exploitation is currently not common but still possible. The issue is not listed in the CISA KEV catalog. The attack can be carried out from a remote web request to the exposed REST endpoint without authentication, making the vulnerability trivial to exploit for an attacker who can reach the site. Successful exploitation reveals sensitive configuration data that could enable further attacks such as credential stuffing or service takeover."}}}}, "created": "2026-02-19T10:07:42.107550+00:00", "updated": "2026-04-22T12:15:16.037320+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wplegalpages", "wplegalpages$PRODUCT$cookie_banner_for_gdpr_/_ccpa_\u2013_wplp_cookie_consent"]}