WP-Safety
CVE-2026-24604

Simple GDPR Cookie Compliance <= 2.0.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.1
Patched in
42d
Time to patch

Description

The Simple GDPR Cookie Compliance plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.0
PublishedJanuary 14, 2026
Last updatedFebruary 25, 2026
Affected pluginsimple-gdpr-cookie-compliance

Source Code

WordPress.org SVN
Vulnerable v2.0.0
Browse source Download .zip
Patched v2.0.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24604 - Simple GDPR Cookie Compliance ## 1. Vulnerability Summary The **Simple GDPR Cookie Compliance** plugin (<= 2.0.0) contains a missing authorization vulnerability. Specifically, an AJAX handler is registered for unauthenticated users (`wp_ajax_nopriv_`) …

Show full research plan

Exploitation Research Plan: CVE-2026-24604 - Simple GDPR Cookie Compliance

1. Vulnerability Summary

The Simple GDPR Cookie Compliance plugin (<= 2.0.0) contains a missing authorization vulnerability. Specifically, an AJAX handler is registered for unauthenticated users (wp_ajax_nopriv_) but fails to verify the caller's capabilities using current_user_can(). This allows unauthenticated attackers to trigger sensitive actions, such as modifying plugin settings or resetting configuration, which are intended for administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Authentication: None (Unauthenticated)
  • Action: Likely an AJAX action registered via wp_ajax_nopriv_. Potential candidates include actions related to "saving settings", "resetting data", or "dismissing notices".
  • Payload Parameters:
    • action: The vulnerable AJAX action string (e.g., sgcc_save_settings, simple_gdpr_update_options - to be verified).
    • nonce: A security nonce (if required, likely available on the frontend).
    • Data parameters: Parameters representing the settings to be updated (e.g., settings[...]).

3. Code Flow

  1. Entry Point: The plugin registers an AJAX action in the main plugin file or an initialization class:
    add_action( 'wp_ajax_nopriv_VULNERABLE_ACTION', 'vulnerable_function_callback' );
  2. Missing Check: The vulnerable_function_callback is executed. It may call check_ajax_referer() (nonce check) but lacks a check for current_user_can( 'manage_options' ).
  3. Data Sink: User-supplied data from $_POST is passed into a function like update_option() or wp_update_post(), leading to unauthorized state changes.

4. Nonce Acquisition Strategy

If the vulnerable function uses check_ajax_referer( 'action_name', 'nonce_key' ), the nonce must be obtained from the frontend.

  1. Identify Script Enqueueing: Find where wp_localize_script is called. Look for the localization variable (e.g., sgcc_ajax_obj).
  2. Identify Trigger: The plugin likely loads its scripts on the frontend to display the cookie banner.
  3. Automated Extraction:
    • Step 1: Navigate to the WordPress homepage using browser_navigate.
    • Step 2: If the scripts don't load on the homepage, check if a specific shortcode is needed (e.g., [gdpr_banner]). If so, create a test page:
      wp post create --post_type=page --post_status=publish --post_content='[target_shortcode]'
    • Step 3: Use browser_eval to extract the nonce:
      browser_eval("window.sgcc_ajax_obj?.nonce") (Replace sgcc_ajax_obj and nonce with actual keys found during discovery).

5. Exploitation Strategy

Phase 1: Discovery

Find the exact AJAX action and parameter names.

  1. grep -rn "wp_ajax_nopriv_" wp-content/plugins/simple-gdpr-cookie-compliance/
  2. Examine the callback function for calls to update_option.
  3. Note the required parameters and the nonce action string.

Phase 2: Execution

Prepare a POST request to admin-ajax.php.

Request Structure (Example - Inferred):

  • URL: http://vulnerable-site.local/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=VULNERABLE_ACTION&nonce=EXTRACTED_NONCE&settings[banner_text]=<script>alert('XSS')</script>&settings[enabled]=1

6. Test Data Setup

  1. Plugin Installation: Ensure simple-gdpr-cookie-compliance version <= 2.0.0 is active.
  2. Configuration: Use default settings.
  3. Shortcode Page: Create a page containing any plugin-specific shortcode to ensure frontend scripts (and nonces) are rendered.
    wp post create --post_title="GDPR Test" --post_content="[simple_gdpr_cookie_compliance]" --post_status="publish" --post_type="page"

7. Expected Results

  • Success: The server returns a success response (e.g., {"success": true} or 1).
  • Impact: Plugin settings are modified. If banner_text was targeted, visiting the homepage will now trigger a JavaScript alert or display modified text.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the option value was changed.
    wp option get simple_gdpr_settings
  2. Frontend Check: Navigate to the homepage and check for the injected payload in the HTML source.
    # Use browser_navigate to homepage, then check HTML

9. Alternative Approaches

  • Missing Nonce Check: If check_ajax_referer is absent, the exploit becomes trivial (remove the nonce parameter).
  • Settings Reset: If the vulnerability is in a "reset" function (e.g., wp_ajax_nopriv_reset_gdpr), the impact is Availability (wiping plugin config) rather than Integrity (XSS).
  • Unsubscribe/Data Export: Check for actions related to user data export or deletion (wp_ajax_nopriv_export_data) which might lead to PII exposure.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Simple GDPR Cookie Compliance plugin for WordPress is vulnerable to unauthorized access due to the registration of sensitive AJAX handlers for unauthenticated users without capability checks. This allows unauthenticated attackers to modify plugin settings or perform administrative actions by sending crafted requests to the WordPress admin-ajax.php endpoint.

Exploit Outline

1. Nonce Acquisition: Inspect the frontend of the target site to locate the AJAX nonce associated with the GDPR banner, typically found within a localized JavaScript object (e.g., 'sgcc_ajax_obj'). 2. Action Identification: Identify the specific AJAX action registered via wp_ajax_nopriv_ (e.g., related to saving settings or updating options). 3. Payload Crafting: Create a POST request to '/wp-admin/admin-ajax.php' containing the 'action' parameter, the extracted 'nonce', and parameters representing the settings to be modified (such as banner text or feature toggles). 4. Request Execution: Send the unauthenticated request to the server. Since the plugin callback fails to verify the user's permissions via current_user_can(), the server will process the configuration changes. 5. Verification: Confirm the settings have been altered by checking the plugin's configuration page in the dashboard or observing the modified output on the site's frontend.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/efb6fc8e-5eed-4751-881f-0600c817ba6a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database