{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1666", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-24T21:14:10.275Z", "datePublished": "2025-03-06T11:11:01.970Z", "dateUpdated": "2026-04-08T17:25:26.804Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:26.804Z"}, "affected": [{"vendor": "cookiebot", "product": "Cookiebot by Usercentrics \u2013 Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cookie banner plugin for WordPress \u2013 Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website."}], "title": "Cookie banner plugin for WordPress \u2013 Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2e5fca6-363c-4875-9eb8-44e080d99650?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cookiebot/tags/4.4.1/src/lib/Cookiebot_Review.php#L135"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3251089%40cookiebot&new=3251089%40cookiebot&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-03-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-06T16:18:39.562291Z", "id": "CVE-2025-1666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:18:52.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-06T16:18:39.562291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:18:46.852Z"}}], "cna": {"title": "Cookie banner plugin for WordPress \u2013 Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "cookiebot", "product": "Cookie banner plugin for WordPress \u2013 Cookiebot CMP by Usercentrics", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-05T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2e5fca6-363c-4875-9eb8-44e080d99650?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/cookiebot/tags/4.4.1/src/lib/Cookiebot_Review.php#L135"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3251089%40cookiebot&new=3251089%40cookiebot&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Cookie banner plugin for WordPress \u2013 Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-06T11:11:01.970Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1666", "state": "PUBLISHED", "dateUpdated": "2025-03-06T16:18:52.928Z", "dateReserved": "2025-02-24T21:14:10.275Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-06T11:11:01.970Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cookie banner plugin for WordPress \u2013 Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website."}, {"lang": "es", "value": "El complemento Cookie banner para WordPress \u2013 Cookiebot CMP de Usercentrics para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de comprobaci\u00f3n de capacidad en la funci\u00f3n send_uninstall_survey() en todas las versiones hasta la 4.4.1 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, env\u00eden la encuesta de desinstalaci\u00f3n en nombre de un sitio web."}], "id": "CVE-2025-1666", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-06T12:15:36.117", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/cookiebot/tags/4.4.1/src/lib/Cookiebot_Review.php#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3251089%40cookiebot&new=3251089%40cookiebot&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2e5fca6-363c-4875-9eb8-44e080d99650?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:39:40.709108+00:00", "value": {"mitigation_remediation": ["Upgrade Cookiebot CMP to a version later than 4.4.1 where the capability check is implemented.", "Limit the use of Subscriber+ and higher roles to trusted users; remove or downgrade any unnecessary accounts that have those privileges.", "If an upgrade cannot be performed immediately, disable or remove the send_uninstall_survey function from the plugin, or block its accessibility to non-admin users via custom security rules."], "summary": {"action": "Apply Update", "impact": "Unauthorized data modification via survey submission"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Cookiebot CMP plugin by Usercentrics \u2013 Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode on WordPress installations. All releases up to and including version 4.4.1 are vulnerable; any site that has not applied a patch or upgrade beyond 4.4.1 remains exposed.", "description_and_impact": "The Cookiebot CMP plugin for WordPress contains a missing capability check in its send_uninstall_survey() function. Authenticated users with Subscriber-level access can invoke the function without authorization, allowing them to submit uninstall survey data as if they were the site administrator. This results in unauthorized data modification and potential tampering of survey metrics, which undermines data integrity and could be used to conduct malicious or deceptive surveys.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate impact, while the EPSS score of < 1% shows a low likelihood of exploitation in the wild. The bug is not listed in CISA KEV, which further suggests it has not yet been widely exploited. An attacker would need to compromise or steal credentials for a user with Subscriber+ access, or manipulate the site to elevate privileges. Once such access is achieved, the attacker could submit a survey on behalf of the site, potentially defrauding analytics or reporting."}}}}, "created": "2026-04-20T23:45:21.606737+00:00", "updated": "2026-04-20T23:45:21.606747+00:00", "vendors": []}