{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22348", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:19.919Z", "datePublished": "2026-01-22T16:52:34.203Z", "dateUpdated": "2026-04-28T16:47:29.076Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "civic-cookie-control-8", "product": "Civic Cookie Control", "vendor": "Tasos Fel", "versions": [{"changes": [{"at": "1.54", "status": "unaffected"}], "lessThanOrEqual": "1.53", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:04.429Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Civic Cookie Control: from n/a through <= 1.53.</p>"}], "value": "Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Civic Cookie Control: from n/a through <= 1.53."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.274Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Civic Cookie Control plugin <= 1.53 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:43:07.004831Z", "id": "CVE-2026-22348", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:47:29.076Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:43:07.004831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:43:03.406Z"}}], "cna": {"title": "WordPress Civic Cookie Control plugin <= 1.53 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tasos Fel", "product": "Civic Cookie Control", "versions": [{"status": "affected", "changes": [{"at": "1.54", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.53"}], "packageName": "civic-cookie-control-8", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:04.429Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Civic Cookie Control: from n/a through <= 1.53.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Civic Cookie Control: from n/a through <= 1.53.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.274Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22348", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:47:29.076Z", "dateReserved": "2026-01-07T12:21:19.919Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:34.203Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Civic Cookie Control: from n/a through <= 1.53."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Tasos Fel Civic Cookie Control civic-cookie-control-8 permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configuradas. Este problema afecta a Civic Cookie Control: desde n/a hasta &lt;= 1.53."}], "id": "CVE-2026-22348", "lastModified": "2026-04-28T19:36:30.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:31.363", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:51:18.358669+00:00", "value": {"mitigation_remediation": ["Upgrade Civic Cookie Control to the latest version (1.54 or newer) to apply the official fix.", "If an immediate upgrade is not possible, restrict access to the plugin\u2019s administrative endpoints by configuring your web server\u2019s access control (e.g., using .htaccess or equivalent) to allow only authenticated administrator users.", "Review and audit user role permissions on the WordPress site to ensure that only authorized users have access to cookie management functions, and apply the principle of least privilege."], "summary": {"action": "Patch", "impact": "Broken Access Control (unauthorized access)"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Civic Cookie Control plugin version 1.53 or earlier, developed by Tasos Fel. Any installation running the plugin at version 1.53 or any earlier released version is impacted.", "description_and_impact": "The Civic Cookie Control plugin for WordPress contains a missing authorization flaw that allows attackers to exploit incorrectly configured access control security levels. This vulnerability can enable unauthorized users to access or modify functionality that is intended to be restricted to privileged users, potentially leading to data exposure or manipulation of cookie consent settings. The weakness is categorized as \"Missing Authorization\" under CWE\u2011862.", "risk_and_exploitability": "The CVSS v3 score of 5.3 indicates moderate risk. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The lack of explicit statement about the attack vector infers a remote web-based exploitation path, where an attacker submits crafted requests to the plugin\u2019s managed endpoints to bypass user authorization controls."}}}}, "created": "2026-01-23T16:28:21.104543+00:00", "updated": "2026-04-16T08:00:11.190667+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}