WP-Safety

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Security & Risk Analysis

wordpress.org/plugins/cookiebot

Install your cookie banner in minutes. Automatically scan and block cookies to comply with the GDPR, CCPA, Google Consent Mode v2. Free plan option.

100K active installs v4.6.7 PHP 5.6+ WP 4.4+ Updated Apr 6, 2026
cookie-bannercookie-consentcookie-noticegdprprivacy
95
A · Safe
CVEs total4
Unpatched0
Last CVEJan 29, 2026
Plugin page Download
Safety Verdict

Is Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Safe to Use in 2026?

Generally Safe

Score 95/100

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Jan 29, 2026Updated 1mo ago
Risk Assessment

The Cookiebot plugin v4.6.6 exhibits a mixed security posture. On the positive side, the code analysis reveals a strong adherence to secure coding practices, with all identified entry points (AJAX handlers, shortcodes) having nonce and capability checks, and SQL queries exclusively using prepared statements. There are no detected dangerous functions or file operations, and external HTTP requests are minimal and likely controlled. Taint analysis shows no critical or high-severity vulnerabilities, suggesting that data sanitization and neutralization are generally effective within the analyzed code paths.

However, a significant concern arises from the plugin's vulnerability history. With four known CVEs, including one currently unpatched, this indicates a recurring pattern of security weaknesses. The prevalence of medium-severity vulnerabilities such as Cross-Site Request Forgery (CSRF), Missing Authorization, and Cross-site Scripting (XSS) suggests that these issues have been difficult to fully address in past versions. The existence of an unpatched vulnerability is a direct and immediate risk that could be exploited by attackers. While the static analysis for the current version is promising, the historical context cannot be ignored.

In conclusion, while version 4.6.6 of Cookiebot appears to have implemented good security practices internally, the historical vulnerability data, particularly the unpatched CVE, presents a notable risk. Users should be aware of this history and prioritize updating to a version where all previously identified vulnerabilities are resolved. The strengths in internal code security are undermined by the persistent presence of exploitable flaws in the plugin's lifecycle.

Key Concerns

  • Unpatched CVE
  • Medium severity historical vulnerabilities (4)
  • Output escaping is not fully proper (27% unescaped)
Vulnerabilities
4 published

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2026-25407medium · 4.3Missing Authorization

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode <= 4.6.4 - Missing Authorization

Jan 29, 2026 Patched in 4.6.5 (48d)
CVE-2025-53197medium · 4.3Cross-Site Request Forgery (CSRF)

Cookiebot <= 4.5.8 - Cross-Site Request Forgery

Jun 27, 2025 Patched in 4.5.9 (5d)
CVE-2025-1666medium · 4.3Missing Authorization

Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission

Mar 5, 2025 Patched in 4.4.2 (1d)
WF-765df8f4-438c-41b6-ac74-494f1b74cf33-cookiebotmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cookiebot | GDPR/CCPA Compliant Cookie Consent and Control <= 3.6.0 - Reflected Cross-Site Scripting

Sep 8, 2020 Patched in 3.6.1 (1232d)
Version History

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Release Timeline

v4.6.7Current
v4.6.65 files changed
v4.6.536 files changed
v4.6.41 CVE11 files changed
CVE-2026-25407
v4.6.31 CVE7 files changed
CVE-2026-25407
v4.6.21 CVE49 files changed
CVE-2026-25407
v4.6.11 CVE16 files changed
CVE-2026-25407
v4.6.01 CVE10 files changed
CVE-2026-25407
v4.5.111 CVE30 files changed
CVE-2026-25407
v4.5.101 CVE3 files changed
CVE-2026-25407
v4.5.91 CVE8 files changed
CVE-2026-25407
v4.5.82 CVEs13 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.72 CVEs12 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.62 CVEs5 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.52 CVEs20 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.42 CVEs35 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.32 CVEs33 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.22 CVEs5 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.12 CVEs5 files changed
CVE-2025-53197 CVE-2026-25407
v4.5.02 CVEs
CVE-2025-53197 CVE-2026-25407
Code Analysis
Analyzed Mar 16, 2026

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
209
579 escaped
Nonce Checks
4
Capability Checks
4
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

73% escaped788 total outputs
Attack Surface

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 2

authwp_ajax_cookiebot_activate_ppgsrc\settings\pages\PPG_Page.php:28
authwp_ajax_cookiebot_install_ppgsrc\settings\pages\PPG_Page.php:29

Shortcodes 2

[cookie_declaration] src\shortcode\Cookiebot_Declaration_Shortcode.php:14
[uc_embedding] src\shortcode\Cookiebot_Embedding_Shortcode.php:12
WordPress Hooks 46
actionadmin_menusrc\addons\config\Settings_Config.php:67
actionadmin_initsrc\addons\config\Settings_Config.php:68
actionadmin_enqueue_scriptssrc\addons\config\Settings_Config.php:69
actionupdate_option_cookiebot_available_addonssrc\addons\config\Settings_Config.php:70
filterthe_contentsrc\addons\controller\addons\add_to_any\Add_To_Any.php:63
filterthe_excerptsrc\addons\controller\addons\add_to_any\Add_To_Any.php:72
actionwp_loadedsrc\addons\controller\addons\Base_Cookiebot_Addon.php:168
actionwp_loadedsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:34
filterthe_contentsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:45
filterwidget_textsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:55
filterwp_video_shortcodesrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:65
filterwp_audio_shortcodesrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:75
actionwp_headsrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:84
actionwp_enqueue_scriptssrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:102
actionwp_enqueue_scriptssrc\addons\controller\addons\embed_autocorrect\Embed_Autocorrect.php:103
filterwc_facebook_pixel_script_attributessrc\addons\controller\addons\facebook_for_woocommerce\Facebook_For_Woocommerce.php:29
filterexactmetrics_tracking_analytics_script_attributessrc\addons\controller\addons\gadwp\Gadwp.php:63
actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Facebook_Jetpack_Widget.php:32
actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Goodreads_Jetpack_Widget.php:28
actiondynamic_sidebarsrc\addons\controller\addons\jetpack\widget\Goodreads_Jetpack_Widget.php:46
actiondynamic_sidebar_aftersrc\addons\controller\addons\jetpack\widget\Goodreads_Jetpack_Widget.php:68
actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Googleplus_Badge_Jetpack_Widget.php:38
actionjetpack_contact_info_widget_startsrc\addons\controller\addons\jetpack\widget\Google_Maps_Jetpack_Widget.php:36
actionjetpack_contact_info_widget_endsrc\addons\controller\addons\jetpack\widget\Google_Maps_Jetpack_Widget.php:37
actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Google_Maps_Jetpack_Widget.php:40
actionjetpack_stats_extrasrc\addons\controller\addons\jetpack\widget\Twitter_Timeline_Jetpack_Widget.php:35
filtercomment_cookie_lifetimesrc\addons\controller\addons\jetpack\widget\Visitor_Cookies_Jetpack_Widget.php:35
filterlitespeed_optimize_js_excludessrc\addons\controller\addons\litespeed_cache\Litespeed_Cache.php:28
filterninja_forms_display_fieldssrc\addons\controller\addons\ninja_forms\Ninja_Forms.php:34
filterwc_google_analytics_pro_script_attributessrc\addons\controller\addons\woocommerce_google_analytics_pro\Woocommerce_Google_Analytics_Pro.php:23
filterwpforms_disable_entry_user_ipsrc\addons\controller\addons\wpforms\Wpforms.php:24
actionwp_footersrc\addons\controller\addons\wpforms\Wpforms.php:25
filterrocket_exclude_defer_jssrc\addons\controller\addons\wp_rocket\Wp_Rocket.php:25
actionadmin_noticessrc\addons\controller\Plugin_Controller.php:47
actionparse_requestsrc\addons\controller\Plugin_Controller.php:84
actionafter_setup_themesrc\addons\Cookiebot_Addons.php:80
actionadmin_noticessrc\admin_notices\Cookiebot_Base_Notice.php:29
actioninitsrc\admin_notices\Cookiebot_Notices.php:21
actioninitsrc\gutenberg\Cookiebot_Gutenberg_Declaration_Block.php:14
actionenqueue_block_editor_assetssrc\gutenberg\Cookiebot_Gutenberg_Declaration_Block.php:15
actionadmin_menusrc\settings\Menu_Settings.php:25
actionadmin_initsrc\settings\Menu_Settings.php:28
actionupdated_optionsrc\settings\Menu_Settings.php:29
actionnetwork_admin_menusrc\settings\Network_Menu_Settings.php:19
actionnetwork_admin_edit_cookiebot_network_settingssrc\settings\Network_Menu_Settings.php:20
actionwp_dashboard_setupsrc\widgets\Dashboard_Widget_Cookiebot_Status.php:12
Maintenance & Trust

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 6, 2026
PHP min version5.6
Downloads6.7M

Community Trust

Rating88/100
Number of ratings434
Active installs100K
Alternatives

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Alternatives

Icegram Cookie Manager – Simple Cookie Consent & Compliance Banner

Icegram Cookie Manager – Simple Cookie Consent & Compliance Banner

icegram-cookie-manager

A
100

Add personalized cookie information and link to your WordPress privacy policy page.

0 No CVEs
CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

cookie-law-info

A
100

Easily set up cookie banner or notice in WordPress, and policy pages for compliance with global cookie laws (GDPR, DSGVO, RGPD, CCPA/CPRA, etc).

1.0M 1 CVE
Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Real Cookie Banner: GDPR & ePrivacy Cookie Consent

real-cookie-banner

A
96

Obtain GDPR (DSGVO/RGPD) and ePrivacy Directive (TDDDG/TTDSG, LOPD-GDD, DTA) compliant consents in your cookie banner. More than just a cookie notice!

100K 4 CVEs
Termly – GDPR/CCPA Cookie Consent Banner

Termly – GDPR/CCPA Cookie Consent Banner

uk-cookie-consent

A
99

Our easy to use cookie consent plugin can assist in your GDPR, CCPA, and ePrivacy Directive compliance efforts.

90K 2 CVEs
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

gdpr-cookie-consent

A
89

WPLP Cookie Consent helps WordPress website owners display cookie consent banners, manage user preferences, and control third-party scripts in line wi &hellip;

10K 10 CVEs
Developer Profile

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode Developer Profile

cookiebot

2 plugins · 100K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
322 days
View full developer profile
Detection Fingerprints

How We Detect Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cookiebot/css/backend/addons_page.css/wp-content/plugins/cookiebot/css/backend/cookiebot_admin_main.css/wp-content/plugins/cookiebot/js/backend/jquery.tipTip.js/wp-content/plugins/cookiebot/js/backend/prior-consent-settings.js
Script Paths
img/icons/info.svg
Version Parameters
cookiebot_addons_custom_css?ver=cookiebot_admin_css?ver=

HTML / DOM Fingerprints

CSS Classes
cookiebot-addonscb-addons-settings-page
HTML Comments
<!-- Cookiebot Settings --><!-- Cookiebot Addons Settings Page -->
Data Attributes
data-cookiebot-cookie-id
JS Globals
php
FAQ

Frequently Asked Questions about Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode