{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24604", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:17.047Z", "datePublished": "2026-01-23T14:29:03.770Z", "dateUpdated": "2026-04-28T16:14:50.330Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "simple-gdpr-cookie-compliance", "product": "Simple GDPR Cookie Compliance", "vendor": "themebeez", "versions": [{"changes": [{"at": "2.0.1", "status": "unaffected"}], "lessThanOrEqual": "2.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:50.560Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0.</p>"}], "value": "Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.330Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Simple GDPR Cookie Compliance plugin <= 2.0.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:26:03.116899Z", "id": "CVE-2026-24604", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:37:44.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24604", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:26:03.116899Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:25:56.603Z"}}], "cna": {"title": "WordPress Simple GDPR Cookie Compliance plugin <= 2.0.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "themebeez", "product": "Simple GDPR Cookie Compliance", "versions": [{"status": "affected", "changes": [{"at": "2.0.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.0"}], "packageName": "simple-gdpr-cookie-compliance", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:50.560Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.948Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24604", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:37:44.673Z", "dateReserved": "2026-01-23T12:32:17.047Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:03.770Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Simple GDPR Cookie Compliance: desde n/a hasta &lt;= 2.0.0."}], "id": "CVE-2026-24604", "lastModified": "2026-04-28T15:16:18.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:19.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:33:37.106772+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple GDPR Cookie Compliance plugin to the latest version that resolves the missing authorization flaw.", "If an update is not possible, remove or disable the plugin entirely to eliminate the risk.", "Restrict administrative access to the plugin\u2019s configuration pages and enforce least\u2011privilege for all site users.", "Monitor the web application for unusual access patterns or configuration changes and run periodic security scans."], "summary": {"action": "Immediate Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The affected component is the WordPress plugin Simple GDPR Cookie Compliance by themebeez, versions from the earliest release through 2.0.0 inclusive. Any site using an instance of this plugin up to and including version 2.0.0 is potentially impacted.", "description_and_impact": "The Simple GDPR Cookie Compliance plugin suffers from a missing authorization flaw that allows attackers to bypass access controls and manipulate or view cookie\u2011compliance settings. This broken access control can enable unauthorized configuration changes, potentially exposing cookie handling logic and user preferences to unauthenticated or improperly authorized users. The vulnerability is classified as CWE\u2011862, indicating an authority bypass that could affect confidentiality and integrity of site configuration data.", "risk_and_exploitability": "The CVSS score of 5.3 reflects a medium severity level, while an EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to target a site where the plugin is active and attempt to access or modify configuration endpoints that lack proper authorization. The risk is moderate; however, because the flaw provides unauthorized administrative access within the plugin, it could be leveraged to influence site behavior or bypass privacy controls."}}}}, "created": "2026-01-26T11:53:16.075807+00:00", "updated": "2026-04-16T01:45:20.648983+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}