CVE-2025-14061
Unauthorized Data Modification in WP Cookie Consent Plugin
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp_cookie_consent | 4.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Cookie Consent plugin for WordPress allows unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID. This happens because the gdpr_delete_policy_data function lacks a capability check, meaning it does not verify if the user has permission to perform the deletion. This affects all versions up to and including 4.0.7.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers without authentication to delete your website's content such as posts, pages, attachments, and other post types. This can lead to data loss, disruption of your website's functionality, and potential damage to your site's reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID due to a missing capability check in the gdpr_delete_policy_data function. This unauthorized data modification could undermine the integrity and availability of data managed by the WP Cookie Consent plugin, which is designed to help with GDPR, CCPA, and ePrivacy compliance. As a result, organizations relying on this plugin might face challenges in maintaining compliance with data protection regulations like GDPR and HIPAA, since critical policy data or consent records could be maliciously deleted, potentially impacting audit trails and data governance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WP Cookie Consent plugin to a version later than 4.0.7 where the missing capability check on the gdpr_delete_policy_data function is fixed. Until an update is applied, restrict access to the plugin's administrative functions and monitor for unauthorized deletion of posts or pages. Consider disabling or removing the plugin if an update is not available.