{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25407", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:19.001Z", "datePublished": "2026-02-19T08:27:04.641Z", "dateUpdated": "2026-04-28T16:14:58.334Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cookiebot", "product": "Cookiebot", "vendor": "cookiebot", "versions": [{"changes": [{"at": "4.6.5", "status": "unaffected"}], "lessThanOrEqual": "4.6.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:08.188Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cookiebot: from n/a through <= 4.6.4.</p>"}], "value": "Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cookiebot: from n/a through <= 4.6.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.334Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cookiebot/vulnerability/wordpress-cookiebot-plugin-4-6-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Cookiebot plugin <= 4.6.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:08:08.651295Z", "id": "CVE-2026-25407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:16:54.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:08:08.651295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:06:50.207Z"}}], "cna": {"title": "WordPress Cookiebot plugin <= 4.6.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "cookiebot", "product": "Cookiebot", "versions": [{"status": "affected", "changes": [{"at": "4.6.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.6.4"}], "packageName": "cookiebot", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:08.188Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cookiebot/vulnerability/wordpress-cookiebot-plugin-4-6-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cookiebot: from n/a through <= 4.6.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Cookiebot: from n/a through <= 4.6.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.334Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25407", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:58.334Z", "dateReserved": "2026-02-02T12:53:19.001Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:04.641Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cookiebot: from n/a through <= 4.6.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en cookiebot Cookiebot cookiebot permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Cookiebot: desde n/a hasta &lt;= 4.6.4."}], "id": "CVE-2026-25407", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:22.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cookiebot/vulnerability/wordpress-cookiebot-plugin-4-6-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.6.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cookiebot", "source": "cna", "vendor": "cookiebot"}, "product": "cookiebot", "vendor": "cookiebot"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:30:55.389493+00:00", "value": {"mitigation_remediation": ["Update the Cookiebot plugin to version 4.6.5 or later, which includes the vendor\u2019s fix.", "If an update cannot be applied immediately, disable the Cookiebot plugin until the patch is applied to eliminate the attack surface.", "Review and restrict WordPress user role assignments so that only trusted administrators have access to plugin configuration pages."], "summary": {"action": "Patch Immediately", "impact": "Missing authorization enabling unauthorized access to plugin settings"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the Cookiebot plugin for WordPress where the version is 4.6.4 or earlier; any site running the plugin before version 4.6.5 is considered vulnerable.", "description_and_impact": "A missing authorization check in the Cookiebot WordPress plugin allows an attacker to bypass normal access restrictions. The flaw is present in all releases up to and including version 4.6.4 and could let an attacker view or alter configuration data that should be protected by role\u2011based controls, potentially exposing privacy or functionality of the website.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk profile, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. Based on the description, it is inferred that an attacker would need to authenticate against the WordPress site with a user role that has at least editor privileges and then access the plugin\u2019s administrative endpoints; the vulnerability is not listed in CISA\u2019s KEV catalog, implying no known active exploitation yet."}}}}, "created": "2026-02-20T10:08:27.378241+00:00", "updated": "2026-04-16T06:45:16.305013+00:00", "vendors": ["cookiebot", "cookiebot$PRODUCT$cookiebot", "wordpress", "wordpress$PRODUCT$wordpress"]}