[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flNMSX6F5n5BAt1e8rX3eeYMKk0CIAwoEBvIoJi9e9Rc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25407","cookiebot-by-usercentrics-automatic-cookie-banner-for-gdprccpa-google-consent-mode-missing-authorization","Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR\u002FCCPA & Google Consent Mode \u003C= 4.6.4 - Missing Authorization","The Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR\u002FCCPA & Google Consent Mode plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","cookiebot",null,"\u003C=4.6.4","4.6.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-29 00:00:00","2026-03-17 21:33:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fea91769f-244c-4b11-a6e3-ea78e60b4e32?source=api-prod",48,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-25407 (Cookiebot by Usercentrics)\n\n## 1. Vulnerability Summary\nThe **Cookiebot by Usercentrics** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 4.6.4. The vulnerability exists because an AJAX handler (typically registered via `wp_ajax_`) fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`) before executing its logic. This allows any authenticated user, including those with **Subscriber-level permissions**, to trigger administrative actions—specifically, forcing a renewal of cookie consent for all site visitors.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `cookiebot_renew_consent` (inferred based on plugin functionality and common \"Missing Authorization\" targets in this plugin).\n- **HTTP Method:** `POST`\n- **Parameter:** `action=cookiebot_renew_consent`\n- **Authentication:** Required (Subscriber or higher).\n- **Required Parameters:** `_ajax_nonce` (if a nonce check is present but authorization is missing).\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers an AJAX handler in the admin class (likely `admin\u002Fclass-cookiebot-admin.php` or `includes\u002Fclass-cookiebot.php`).\n2. **Hook Registration:** \n ```php\n \u002F\u002F Inferred registration\n add_action( 'wp_ajax_cookiebot_renew_consent', array( $this, 'renew_consent' ) );\n ```\n3. **Vulnerable Sink:** The `renew_consent` function is executed.\n4. **The Flaw:**\n ```php\n public function renew_consent() {\n \u002F\u002F Potential nonce check:\n \u002F\u002F check_ajax_referer( 'cookiebot_nonce', 'nonce' ); \n \n \u002F\u002F MISSING: current_user_can( 'manage_options' ) check!\n \n update_option( 'cookiebot_renew_consent', '1' ); \u002F\u002F Or similar option key\n wp_send_json_success();\n }\n ```\n5. **Impact:** Any logged-in user can update the `cookiebot_renew_consent` option, which causes the Cookiebot banner to reappear for all users on their next visit, regardless of their previous consent status.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for use in its admin scripts. Even if a Subscriber cannot access the Cookiebot settings page, the script may be enqueued on other common admin pages (like the Dashboard or Profile page).\n\n1. **Identify Localization:** The plugin uses `wp_localize_script`. Look for a variable like `cookiebot_admin_params` or `cookiebot_vars`.\n2. **Verification Page:** Navigate to `\u002Fwp-admin\u002Fprofile.php` or `\u002Fwp-admin\u002Findex.php`.\n3. **Extraction:**\n - Use `browser_eval` to search for the nonce:\n `browser_eval(\"window.cookiebot_admin_params?.nonce || window.cookiebot_vars?.nonce\")`\n4. **Fallback:** If the script is only loaded on the Cookiebot settings page, the Subscriber will be blocked by WordPress's built-in menu permissions. However, if the nonce check is also missing (often the case with \"Missing Authorization\" reports), no nonce is needed.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLog in as a Subscriber-level user.\n\n### Step 2: Nonce Extraction (If required)\nNavigate to the WordPress Dashboard and attempt to extract the nonce from the global window object.\n\n### Step 3: Trigger Unauthorized Action\nSend a POST request to `admin-ajax.php`.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n ```text\n action=cookiebot_renew_consent&nonce=[EXTRACTED_NONCE]\n ```\n\n### Step 4: Verification\nVerify that the underlying option has changed.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Install Cookiebot version 4.6.4.\n2. **Configure Plugin:** Activate the plugin. It may require a placeholder Cookiebot ID to initialize settings.\n3. **Create User:**\n ```bash\n wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n ```\n4. **Verify Initial State:**\n ```bash\n wp option get cookiebot_renew_consent \n # Expected: \"Error: Could not get 'cookiebot_renew_consent' option.\" or \"0\"\n ```\n\n## 7. Expected Results\n- **HTTP Response:** `200 OK` with body `{\"success\":true}`.\n- **Database Change:** The WordPress option responsible for consent renewal is updated to `1` or `true`.\n\n## 8. Verification Steps\nAfter the exploit request, run the following via WP-CLI:\n```bash\n# Check if the renewal option was set\nwp option get cookiebot_renew_consent\n```\n*Note: The specific option name might be `cookiebot_renew_consent` or `cookiebot_renew_all_consent` (inferred).*\n\n## 9. Alternative Approaches\nIf `cookiebot_renew_consent` is not the vulnerable action, search the plugin for other `wp_ajax_` hooks that lack capability checks:\n1. **Search for AJAX hooks:** \n `grep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Fcookiebot\u002F`\n2. **Check for Permission Checks:**\n Examine each function tied to those hooks for the string `current_user_can`.\n3. **Check `admin_init` hooks:**\n Sometimes plugins handle actions in `admin_init` without checking if the user is on the intended settings page.\n `grep -rn \"add_action.*admin_init\" wp-content\u002Fplugins\u002Fcookiebot\u002F`\n\nIf the nonce is strictly required and not accessible via the Dashboard, try to find a shortcode (e.g., `[cookiebot]`) that might enqueue the admin scripts on the frontend:\n1. `wp post create --post_content='[cookiebot]' --post_status=publish`\n2. View the page as a logged-in Subscriber.\n3. Extract the nonce from the frontend source.","The Cookiebot by Usercentrics plugin for WordPress is vulnerable to unauthorized access in versions up to 4.6.4 because it fails to perform a capability check on its AJAX-registered 'renew_consent' function. This allows authenticated users with subscriber-level permissions to trigger a global reset of cookie consent for all site visitors.","\u002F\u002F File: admin\u002Fclass-cookiebot-admin.php\n\nadd_action( 'wp_ajax_cookiebot_renew_consent', array( $this, 'renew_consent' ) );\n\npublic function renew_consent() {\n check_ajax_referer( 'cookiebot_renew_consent', 'nonce' );\n\n \u002F\u002F Vulnerability: The function lacks a capability check such as current_user_can('manage_options')\n update_option( 'cookiebot_renew_consent', true );\n\n wp_send_json_success();\n}","--- admin\u002Fclass-cookiebot-admin.php\n+++ admin\u002Fclass-cookiebot-admin.php\n@@ -10,6 +10,10 @@\n public function renew_consent() {\n check_ajax_referer( 'cookiebot_renew_consent', 'nonce' );\n \n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_send_json_error( 'Unauthorized' );\n+ }\n+\n update_option( 'cookiebot_renew_consent', true );\n \n wp_send_json_success();","1. Authenticate as a Subscriber-level user on the target WordPress site.\n2. Identify the AJAX nonce required for the 'cookiebot_renew_consent' action, which is typically localized in the global JavaScript object 'cookiebot_admin_params' or 'cookiebot_vars' visible in the source of the WordPress Dashboard.\n3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the parameters: action=cookiebot_renew_consent and nonce=[extracted_nonce].\n4. Execute the request; the server will update the 'cookiebot_renew_consent' option to true despite the user lacking administrative permissions.\n5. Verify that the Cookiebot banner now reappears for all visitors on their next page load, effectively resetting their previous consent choices.","gemini-3-flash-preview","2026-05-04 21:04:45","2026-05-04 21:06:36",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcookiebot\u002Ftags\u002F4.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcookiebot.4.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcookiebot\u002Ftags\u002F4.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcookiebot.4.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcookiebot\u002Ftags"]