{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14061", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T20:05:20.864Z", "datePublished": "2025-12-17T06:36:58.873Z", "dateUpdated": "2026-04-08T17:04:48.101Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:48.101Z"}, "affected": [{"vendor": "wplegalpages", "product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID."}], "title": "Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.0.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/866b4ca8-563f-4a19-bbf7-79a79f07d53d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8091"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8878"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-12-16T17:48:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T21:34:21.038254Z", "id": "CVE-2025-14061", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:34:33.478Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T21:34:21.038254Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T21:34:28.974Z"}}], "cna": {"title": "Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.0.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wplegalpages", "product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-16T17:48:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/866b4ca8-563f-4a19-bbf7-79a79f07d53d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8091"}, {"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8878"}], "descriptions": [{"lang": "en", "value": "The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:48.101Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14061", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:48.101Z", "dateReserved": "2025-12-04T20:05:20.864Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T06:36:58.873Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID."}], "id": "CVE-2025-14061", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T07:15:58.623", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8091"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8878"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/866b4ca8-563f-4a19-bbf7-79a79f07d53d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:10:32.156489+00:00", "value": {"mitigation_remediation": ["Update the WP Cookie Consent plugin to the latest version that includes the missing capability check.", "If an update is not immediately possible, disable the plugin or the gdpr_delete_policy_data endpoint to block unauthenticated deletion attempts.", "As a temporary fix, inspect the plugin code and introduce an explicit capability check (for example, require the current user to have the \"manage_options\" capability) before executing any deletion logic."], "summary": {"action": "Apply Patch", "impact": "Unauthorized deletion of arbitrary posts, pages, and attachments"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the wplegalpages \"Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent\" plugin up to and including version 4.0.7. Any installation of this plugin before the fix is susceptible.", "description_and_impact": "The WordPress plugin misimplements the gdpr_delete_policy_data function by omitting a capability check, allowing an unauthenticated user to trigger permanent deletion of any post, page, or attachment by supplying its ID. This flaw is classified as a missing authorization weakness (CWE-862), leading to integrity loss of site content and potentially site disruption.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity. An EPSS score of less than 1% points to a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector involves an unauthenticated HTTP request targeting the vulnerable function, passing the identifier of any desired post type for deletion."}}}}, "created": "2025-12-17T14:28:32.793769+00:00", "updated": "2026-04-22T00:15:03.773181+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wplegalpages", "wplegalpages$PRODUCT$wp_cookie_consent"]}