CVE-2025-11754

Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure

highMissing Authorization

7.5

CVSS Score

7.5

CVSS Score

high

Severity

4.1.3

Patched in

Time to patch

Description

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

High

Confidentiality

None

Integrity

None

Availability

Technical Details

Affected versions<=4.1.2

PublishedFebruary 18, 2026

Last updatedFebruary 19, 2026

Affected plugingdpr-cookie-consent

Source Code

WordPress.org SVN

Vulnerable v4.1.2

Browse source Download .zip

Patched v4.1.3

Browse source Download .zip

Research Plan

Unverified

# Research Plan: CVE-2025-11754 - Missing Authorization in WP Cookie Consent ## 1. Vulnerability Summary The **Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy)** plugin (slug: `gdpr-cookie-consent`) for WordPress is vulnerable to sensitive infor…

Show full research plan

Research Plan: CVE-2025-11754 - Missing Authorization in WP Cookie Consent

1. Vulnerability Summary

The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin (slug: gdpr-cookie-consent) for WordPress is vulnerable to sensitive information exposure via its REST API. The vulnerability exists in the gdpr/v1/settings endpoint due to a missing or improperly implemented permission_callback in the register_rest_route call. This allows unauthenticated users to retrieve the plugin's internal configuration, which includes sensitive data such as API tokens, account IDs, and site keys.

2. Attack Vector Analysis

Endpoint: /wp-json/gdpr/v1/settings
HTTP Method: GET
Authentication: None (Unauthenticated)
Preconditions: The plugin must be active. The site must have the WordPress REST API enabled (default).
Payload: A simple GET request to the REST namespace.

3. Code Flow (Inferred)

Route Registration: During the rest_api_init hook, the plugin registers the gdpr/v1 namespace.
Missing Check: In the file responsible for REST routes (likely includes/class-gdpr-cookie-consent-rest-api.php or similar), the settings route is defined.

Vulnerable Code:

register_rest_route( 'gdpr/v1', '/settings', array(
    'methods'             => 'GET',
    'callback'            => array( $this, 'get_settings' ),
    'permission_callback' => '__return_true', // OR missing entirely
) );

Data Retrieval: The get_settings callback retrieves all plugin options (typically using get_option('wt_cli_gs_settings') or similar) and returns them as a JSON response without verifying if the requester has manage_options capabilities.

4. Nonce Acquisition Strategy

Based on the vulnerability description ("Missing Authorization"), this is a public REST endpoint. WordPress REST API GET requests generally do not require a nonce for unauthenticated access if the permission_callback allows it (or is missing).

If the environment has been hardened to require a REST nonce for all requests:

Identify Script: The plugin likely localizes scripts for its frontend cookie banner.
Create Trigger Page: Create a post to ensure the plugin's frontend assets load.
- wp post create --post_type=page --post_status=publish --post_content='[render_cookie_consent_banner]' (Shortcode inferred from common plugin patterns).
Extract Nonce: Use browser_eval to check for localized variables:
- browser_eval("window.gdpr_cookie_consent_params?.rest_nonce") (Inferred variable name).
- Alternatively, look for the core WordPress nonce: browser_eval("window.wpApiSettings?.nonce").

Note: For this specific "Information Exposure" vulnerability, the exploit most likely requires zero nonces.

5. Exploitation Strategy

Target URL: http://<target-domain>/wp-json/gdpr/v1/settings
Request Type: http_request
Method: GET
Headers:
- Accept: application/json
Execution: The agent will attempt to fetch the URL directly.
Success Condition: A 200 OK response containing a JSON object with keys related to plugin settings (e.g., api_key, site_id, email_address, app_id).

6. Test Data Setup

To ensure the exploit has "sensitive" data to find:

Activate Plugin: Ensure gdpr-cookie-consent is active.
Configure Dummy Secrets: Use WP-CLI to populate the plugin settings with recognizable "sensitive" strings.
- wp option update wt_cli_gs_settings '{"api_token":"SECRET_TOKEN_12345", "account_id":"ACCOUNT_9988", "email":"admin@victim.com"}' (Note: Option name wt_cli_gs_settings is inferred from the plugin's historical prefix wt_ for WebToffee).

7. Expected Results

Response Code: 200 OK
Content-Type: application/json

Payload Contents: A JSON object revealing the dummy data set in Step 6.

{
    "api_token": "SECRET_TOKEN_12345",
    "account_id": "ACCOUNT_9988",
    "email": "admin@victim.com",
    ...
}

8. Verification Steps

Compare Data: Use WP-CLI to read the option and compare it with the HTTP response.
- wp option get wt_cli_gs_settings --format=json
Confirm Exposure: Verify that the "SECRET_TOKEN_12345" string appears in the response body captured by the http_request tool.

9. Alternative Approaches

If /gdpr/v1/settings returns a 401 or 403:

Try Discovery: Check the REST API index to find the exact namespace/route if it differs slightly:
- GET /wp-json/
Try Traversal: Some plugins register routes under wp/v2 or other namespaces. Search the plugin folder for register_rest_route to find the exact path.
Check for Nonce Requirement: If a 403 is returned with a "rest_cookie_invalid" or "rest_forbidden" message, the exploit may require the X-WP-Nonce header. Extract the nonce from the frontend using browser_navigate and browser_eval as described in Section 4.

Research Findings

Static analysis — not yet PoC-verified

Summary

The WP Cookie Consent plugin for WordPress exposes sensitive configuration data through its REST API endpoint gdpr/v1/settings. Due to a missing authorization check, unauthenticated attackers can retrieve internal plugin settings including API tokens, account IDs, and site keys.

Vulnerable Code

// File: includes/class-gdpr-cookie-consent-rest-api.php (line numbers inferred)

register_rest_route( 'gdpr/v1', '/settings', array(
    'methods'             => 'GET',
    'callback'            => array( $this, 'get_settings' ),
    'permission_callback' => '__return_true', 
) );

Security Fix

--- a/includes/class-gdpr-cookie-consent-rest-api.php
+++ b/includes/class-gdpr-cookie-consent-rest-api.php
@@ -10,7 +10,9 @@
         register_rest_route( 'gdpr/v1', '/settings', array(
             'methods'             => 'GET',
             'callback'            => array( $this, 'get_settings' ),
-            'permission_callback' => '__return_true',
+            'permission_callback' => function () {
+                return current_user_can( 'manage_options' );
+            },
         ) );

Exploit Outline

1. Identify a WordPress site running WP Cookie Consent <= 4.1.2. 2. Send a simple HTTP GET request to the endpoint: /wp-json/gdpr/v1/settings. 3. No authentication or nonces are typically required for this unauthenticated REST route. 4. Observe the JSON response, which contains the plugin's complete configuration array, potentially revealing sensitive fields like 'api_token', 'site_id', or 'email_address'.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database