CVE-2026-22348
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | civic_cookie_control | to 1.53 (inc) |
| patchstack | civic_cookie_control | 1.54 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress Civic Cookie Control Plugin (versions up to 1.53). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that normally require higher privileges. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the installed version of the Civic Cookie Control plugin is version 1.53 or earlier, as these versions are affected. Since the vulnerability allows unauthenticated users to perform privileged actions due to missing authorization checks, monitoring for unusual or unauthorized actions initiated by unauthenticated users in the plugin's functionality could indicate exploitation attempts. Specific commands are not provided in the resources, but checking the plugin version can be done via WordPress CLI commands such as 'wp plugin list' to verify the installed version. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Civic Cookie Control plugin to version 1.54 or later, where the vulnerability is resolved. Additionally, enabling auto-updates for vulnerable plugins, if supported, can help ensure timely patching. Since the vulnerability requires no privileges to exploit, timely updating is critical to reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The vulnerability allows unauthenticated users to perform privileged actions, potentially leading to unauthorized changes or access within the plugin. However, it has a low severity impact with a CVSS score of 5.3 and is considered unlikely to be exploited in a way that causes significant harm. [1]