WP-Safety

Flexible Cookies Security & Risk Analysis

wordpress.org/plugins/flexible-cookies

Discover a new era of cookie management on your online store website with the reliable Flexible Cookies!

2K active installs v1.2.7 PHP 7.4+ WP 6.4+ Updated Jan 26, 2026
consentcookiecookie-noticecookiesgdpr
99
A · Safe
CVEs total1
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is Flexible Cookies Safe to Use in 2026?

Generally Safe

Score 99/100

Flexible Cookies has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 27, 2025Updated 2mo ago
Risk Assessment

The 'flexible-cookies' plugin, version 1.2.7, exhibits a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no immediately obvious unprotected entry points, and a reasonable number of nonce and capability checks are present. Taint analysis did not reveal any critical or high-severity issues related to unsanitized data flows, which is a strong indicator of good development practices in that area.

However, there are notable concerns. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution (RCE) if used with untrusted input. Furthermore, all SQL queries are executed without prepared statements, making them vulnerable to SQL injection attacks. The plugin also has a history of vulnerabilities, including a medium-severity Cross-Site Request Forgery (CSRF) in the past, indicating potential for recurring security weaknesses if not carefully managed. While no current CVEs are unpatched, this history warrants attention.

In conclusion, while 'flexible-cookies' demonstrates some strengths in input validation and attack surface management, the use of `unserialize` and raw SQL queries without preparation present critical security risks that outweigh these positives. The past vulnerability history further suggests that careful auditing and secure coding practices are paramount for this plugin.

Key Concerns

  • Dangerous function: unserialize used
  • SQL queries not using prepared statements
  • Medium severity vulnerability in history
Vulnerabilities
1

Flexible Cookies Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-30805medium · 4.3Cross-Site Request Forgery (CSRF)

Flexible Cookies <= 1.1.8 - Cross-Site Request Forgery

Mar 27, 2025 Patched in 1.1.9 (7d)
Code Analysis
Analyzed Mar 16, 2026

Flexible Cookies Code Analysis

Dangerous Functions
2
Raw SQL Queries
2
0 prepared
Unescaped Output
117
128 escaped
Nonce Checks
7
Capability Checks
6
File Operations
3
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserializereturn unserialize($value);vendor_prefixed\wpdesk\wp-forms\src\Serializer\SerializeSerializer.php:15
unserializereturn unserialize($this->container->get($id));vendor_prefixed\wpdesk\wp-persistence\src\Decorator\SerializedPersistentContainer.php:24

SQL Query Safety

0% prepared2 total queries

Output Escaping

52% escaped245 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
<settings> (src\Views\Dashboard\settings.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Flexible Cookies Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42
WordPress Hooks 35
actionwp_enqueue_scriptssrc\Google\GoogleIntegration.php:36
actionwp_enqueue_scriptssrc\Google\GoogleIntegration.php:37
actioninitsrc\Plugin.php:117
actioninitsrc\Plugin.php:118
actioninitsrc\Plugin.php:119
actioninitsrc\Plugin.php:121
actionwp_enqueue_scriptssrc\Scanner\Scanner.php:34
actionadmin_enqueue_scriptssrc\Settings\Fields\ColorPickerField.php:18
actionadmin_footersrc\Settings\Fields\ColorPickerField.php:30
actionadmin_menusrc\Settings\SettingsPage.php:50
actionadmin_post_flexible_cookies_save_settingssrc\Settings\SettingsPage.php:51
actionwp_enqueue_scriptssrc\UI\UI.php:43
actionwp_headsrc\UI\UI.php:45
actionwp_headsrc\UI\UI.php:46
actionwp_footersrc\UI\UI.php:48
actionwp_footersrc\UI\UI.php:49
actionwp_footersrc\UI\UI.php:51
actionwp_dashboard_setupvendor_prefixed\wpdesk\ltv-dashboard-widget\src\DashboardWidget.php:102
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41
actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144
actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145
filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45
filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81
actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88
actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102
filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28
actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35
actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28
filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36
Maintenance & Trust

Flexible Cookies Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 26, 2026
PHP min version7.4
Downloads22K

Community Trust

Rating100/100
Number of ratings4
Active installs2K
Alternatives

Flexible Cookies Alternatives

Complianz – GDPR/CCPA Cookie Consent

Complianz – GDPR/CCPA Cookie Consent

complianz-gdpr

A
92

Configure your Cookie Banner, Cookie Consent and Cookie Policy with our Wizard and Cookies Scan.

1.0M 9 CVEs
CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

cookie-law-info

A
100

Easily set up cookie banner or notice in WordPress, and policy pages for compliance with global cookie laws (GDPR, DSGVO, RGPD, CCPA/CPRA, etc).

1.0M 1 CVE
Cookie Notice & Compliance for GDPR / CCPA

Cookie Notice & Compliance for GDPR / CCPA

cookie-notice

A
95

Cookie Notice allows you to you elegantly inform users that your site uses cookies and helps you comply with GDPR, CCPA and other data privacy laws.

900K 6 CVEs
Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode

Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode

cookiebot

B
72

Install your cookie banner in minutes. Automatically scan and block cookies to comply with the GDPR, CCPA, Google Consent Mode v2. Free plan option.

100K 1 unpatched
WPConsent – Cookie Consent Banner for Privacy Compliance (GDPR / CCPA)

WPConsent – Cookie Consent Banner for Privacy Compliance (GDPR / CCPA)

wpconsent-cookies-banner-privacy-suite

A
100

Improve WordPress privacy compliance. Custom GDPR / CCPA cookie consent banner, full site cookie scanner, automatic script blocking and cookie policy

100K No CVEs
Developer Profile

Flexible Cookies Developer Profile

wpdesk

23 plugins · 127K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
135 days
View full developer profile
Detection Fingerprints

How We Detect Flexible Cookies

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/flexible-cookies/assets/css/frontend.css/wp-content/plugins/flexible-cookies/assets/css/styles.css/wp-content/plugins/flexible-cookies/assets/js/frontend.js/wp-content/plugins/flexible-cookies/assets/js/frontend.js?ver=1.2.7/wp-content/plugins/flexible-cookies/assets/js/settings.js/wp-content/plugins/flexible-cookies/assets/js/settings.js?ver=1.2.7
Script Paths
js/google/advanced/advancedConsentInit.jsjs/google/basic/basicConsentInit.jsjs/google/consentFunctions.jsjs/google/consentLoader.jsjs/google/consentUpdater.js
Version Parameters
flexible-cookies/style.css?ver=flexible-cookies/script.js?ver=flexible-cookies/assets/css/frontend.css?ver=flexible-cookies/assets/css/styles.css?ver=flexible-cookies/assets/js/frontend.js?ver=flexible-cookies/assets/js/settings.js?ver=flexible-cookies/js/google/advanced/advancedConsentInit.js?ver=flexible-cookies/js/google/basic/basicConsentInit.js?ver=flexible-cookies/js/google/consentFunctions.js?ver=flexible-cookies/js/google/consentLoader.js?ver=flexible-cookies/js/google/consentUpdater.js?ver=

HTML / DOM Fingerprints

CSS Classes
fc_hiddenfc_consent_bannerfc_banner_layoutfc_banner_bottomfc_banner_topfc_banner_centerfc_bottom_leftfc_bottom_right+19 more
HTML Comments
<!-- wp:wpdesk/flexible-cookies --><!-- /wp:wpdesk/flexible-cookies --><!-- Flexible Cookies --><!-- End Flexible Cookies -->
Data Attributes
data-fc-cookie-iddata-fc-cookie-group
JS Globals
advancedCMSettingsbasicCMSettingsgtmUpdatergtmLoader
FAQ

Frequently Asked Questions about Flexible Cookies