CVE-2025-12136
Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint
mediumServer-Side Request Forgery (SSRF)
6.8
CVSS Score
6.8
CVSS Score
medium
Severity
5.2.5
Patched in
1d
Time to patch
Description
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
High
Confidentiality
None
Integrity
None
Availability
Technical Details
Affected versions
<=5.2.4PublishedOctober 23, 2025
Last updatedOctober 24, 2025
Affected pluginreal-cookie-banner
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.