Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Security & Risk Analysis

Install your cookie banner in minutes. Automatically scan and block cookies to comply with the GDPR, CCPA, Google Consent Mode v2. Free plan option.

100K active installs v4.6.6 PHP 5.6+ WP 4.4+ Updated Mar 12, 2026

cookie-bannercookie-consentcookie-noticegdprprivacy

B · Generally Safe

CVEs total4

Unpatched1

Last CVEJan 29, 2026

Plugin page Download

Safety Verdict

Is Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Safe to Use in 2026?

Mostly Safe

Score 72/100

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode is generally safe to use. 4 past CVEs were resolved. Keep it updated.

4 known CVEs 1 unpatched Last CVE: Jan 29, 2026Updated 22d ago

Risk Assessment

The Cookiebot plugin v4.6.6 exhibits a mixed security posture. On the positive side, the code analysis reveals a strong adherence to secure coding practices, with all identified entry points (AJAX handlers, shortcodes) having nonce and capability checks, and SQL queries exclusively using prepared statements. There are no detected dangerous functions or file operations, and external HTTP requests are minimal and likely controlled. Taint analysis shows no critical or high-severity vulnerabilities, suggesting that data sanitization and neutralization are generally effective within the analyzed code paths.

However, a significant concern arises from the plugin's vulnerability history. With four known CVEs, including one currently unpatched, this indicates a recurring pattern of security weaknesses. The prevalence of medium-severity vulnerabilities such as Cross-Site Request Forgery (CSRF), Missing Authorization, and Cross-site Scripting (XSS) suggests that these issues have been difficult to fully address in past versions. The existence of an unpatched vulnerability is a direct and immediate risk that could be exploited by attackers. While the static analysis for the current version is promising, the historical context cannot be ignored.

In conclusion, while version 4.6.6 of Cookiebot appears to have implemented good security practices internally, the historical vulnerability data, particularly the unpatched CVE, presents a notable risk. Users should be aware of this history and prioritize updating to a version where all previously identified vulnerabilities are resolved. The strengths in internal code security are undermined by the persistent presence of exploitable flaws in the plugin's lifecycle.

Key Concerns

Unpatched CVE
Medium severity historical vulnerabilities (4)
Output escaping is not fully proper (27% unescaped)

Vulnerabilities

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

2 CVEs in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2026-25407medium · 4.3Missing Authorization

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode <= 4.6.4 - Missing Authorization

Jan 29, 2026Unpatched

CVE-2025-53197medium · 4.3Cross-Site Request Forgery (CSRF)

Cookiebot <= 4.5.8 - Cross-Site Request Forgery

Jun 27, 2025 Patched in 4.5.9 (5d)

CVE-2025-1666medium · 4.3Missing Authorization

Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission

Mar 5, 2025 Patched in 4.4.2 (1d)

WF-765df8f4-438c-41b6-ac74-494f1b74cf33-cookiebotmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cookiebot | GDPR/CCPA Compliant Cookie Consent and Control <= 3.6.0 - Reflected Cross-Site Scripting

Sep 8, 2020 Patched in 3.6.1 (1232d)

Code Analysis

Analyzed Mar 16, 2026

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

209

579 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

73% escaped788 total outputs

Attack Surface

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 2

authwp_ajax_cookiebot_activate_ppgsrc\settings\pages\PPG_Page.php:28

authwp_ajax_cookiebot_install_ppgsrc\settings\pages\PPG_Page.php:29

Shortcodes 2

[cookie_declaration] src\shortcode\Cookiebot_Declaration_Shortcode.php:14

[uc_embedding] src\shortcode\Cookiebot_Embedding_Shortcode.php:12

WordPress Hooks 46

actionadmin_menusrc\addons\config\Settings_Config.php:67

actionadmin_initsrc\addons\config\Settings_Config.php:68

actionadmin_enqueue_scriptssrc\addons\config\Settings_Config.php:69

actionupdate_option_cookiebot_available_addonssrc\addons\config\Settings_Config.php:70

filterthe_contentsrc\addons\controller\addons\add_to_any\Add_To_Any.php:63

filterthe_excerptsrc\addons\controller\addons\add_to_any\Add_To_Any.php:72

actionwp_loadedsrc\addons\controller\addons\Base_Cookiebot_Addon.php:168

actionwp_loadedsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:34

filterthe_contentsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:45

filterwidget_textsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:55

filterwp_video_shortcodesrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:65

filterwp_audio_shortcodesrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:75

actionwp_headsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:84

actionwp_enqueue_scriptssrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:102

actionwp_enqueue_scriptssrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:103

filterwc_facebook_pixel_script_attributessrc\addons\controller\addons\facebook_for_woocommerce\Facebook_For_Woocommerce.php:29

filterexactmetrics_tracking_analytics_script_attributessrc\addons\controller\addons\gadwp\Gadwp.php:63

actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Facebook_Jetpack_Widget.php:32

actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Goodreads_Jetpack_Widget.php:28

actiondynamic_sidebarsrc\addons\controller\addons\jetpack\widget\Goodreads_Jetpack_Widget.php:46

actiondynamic_sidebar_aftersrc\addons\controller\addons\jetpack\widget\Goodreads_Jetpack_Widget.php:68

actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Googleplus_Badge_Jetpack_Widget.php:38

actionjetpack_contact_info_widget_startsrc\addons\controller\addons\jetpack\widget\Google_Maps_Jetpack_Widget.php:36

actionjetpack_contact_info_widget_endsrc\addons\controller\addons\jetpack\widget\Google_Maps_Jetpack_Widget.php:37

actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Google_Maps_Jetpack_Widget.php:40

actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Twitter_Timeline_Jetpack_Widget.php:35

filtercomment_cookie_lifetimesrc\addons\controller\addons\jetpack\widget\Visitor_Cookies_Jetpack_Widget.php:35

filterlitespeed_optimize_js_excludessrc\addons\controller\addons\litespeed_cache\Litespeed_Cache.php:28

filterninja_forms_display_fieldssrc\addons\controller\addons\ninja_forms\Ninja_Forms.php:34

filterwc_google_analytics_pro_script_attributessrc\addons\controller\addons\woocommerce_google_analytics_pro\Woocommerce_Google_Analytics_Pro.php:23

filterwpforms_disable_entry_user_ipsrc\addons\controller\addons\wpforms\Wpforms.php:24

actionwp_footersrc\addons\controller\addons\wpforms\Wpforms.php:25

filterrocket_exclude_defer_jssrc\addons\controller\addons\wp_rocket\Wp_Rocket.php:25

actionadmin_noticessrc\addons\controller\Plugin_Controller.php:47

actionparse_requestsrc\addons\controller\Plugin_Controller.php:84

actionafter_setup_themesrc\addons\Cookiebot_Addons.php:80

actionadmin_noticessrc\admin_notices\Cookiebot_Base_Notice.php:29

actioninitsrc\admin_notices\Cookiebot_Notices.php:21

actioninitsrc\gutenberg\Cookiebot_Gutenberg_Declaration_Block.php:14

actionenqueue_block_editor_assetssrc\gutenberg\Cookiebot_Gutenberg_Declaration_Block.php:15

actionadmin_menusrc\settings\Menu_Settings.php:25

actionadmin_initsrc\settings\Menu_Settings.php:28

actionupdated_optionsrc\settings\Menu_Settings.php:29

actionnetwork_admin_menusrc\settings\Network_Menu_Settings.php:19

actionnetwork_admin_edit_cookiebot_network_settingssrc\settings\Network_Menu_Settings.php:20

actionwp_dashboard_setupsrc\widgets\Dashboard_Widget_Cookiebot_Status.php:12

Maintenance & Trust

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMar 12, 2026

PHP min version5.6

Downloads6.6M

Community Trust

Rating88/100

Number of ratings431

Active installs100K

Alternatives

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Alternatives

Icegram Cookie Manager – Simple Cookie Consent & Compliance Banner

icegram-cookie-manager

100

Add personalized cookie information and link to your WordPress privacy policy page.

0 No CVEs

CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

cookie-law-info

100

Easily set up cookie banner or notice in WordPress, and policy pages for compliance with global cookie laws (GDPR, DSGVO, RGPD, CCPA/CPRA, etc).

1.0M 1 CVE

Real Cookie Banner: GDPR & ePrivacy Cookie Consent

real-cookie-banner

Obtain GDPR (DSGVO/RGPD) and ePrivacy Directive (TDDDG/TTDSG, LOPD-GDD, DTA) compliant consents in your cookie banner. More than just a cookie notice!

100K 4 CVEs

Termly – GDPR/CCPA Cookie Consent Banner

uk-cookie-consent

Our easy to use cookie consent plugin can assist in your GDPR, CCPA, and ePrivacy Directive compliance efforts.

90K 2 CVEs

Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

gdpr-cookie-consent

WPLP Cookie Consent helps WordPress website owners display cookie consent banners, manage user preferences, and control third-party scripts in line wi …

10K 10 CVEs

Developer Profile

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Developer Profile

cookiebot

2 plugins · 100K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

413 days

View full developer profile

Detection Fingerprints

How We Detect Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cookiebot/css/backend/addons_page.css/wp-content/plugins/cookiebot/css/backend/cookiebot_admin_main.css/wp-content/plugins/cookiebot/js/backend/jquery.tipTip.js/wp-content/plugins/cookiebot/js/backend/prior-consent-settings.js

Script Paths

img/icons/info.svg

Version Parameters

cookiebot_addons_custom_css?ver=cookiebot_admin_css?ver=

HTML / DOM Fingerprints

CSS Classes

cookiebot-addonscb-addons-settings-page

HTML Comments

Data Attributes

data-cookiebot-cookie-id

JS Globals

php

FAQ