Executive Summary

CVE-2026-24604 is a Broken Access Control vulnerability in the WordPress Simple GDPR Cookie Compliance Plugin (version 2.0.0 and earlier). It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that should require higher privileges. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability could allow unauthorized users to perform privileged actions within the plugin, potentially compromising the security of the website's cookie compliance settings. However, it has a low severity score (CVSS 5.3) and is considered unlikely to be exploited. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Since no official fix or patched version is currently available for this vulnerability, immediate mitigation steps include disabling or uninstalling the Simple GDPR Cookie Compliance plugin version 2.0.0 or earlier, restricting access to the plugin's administrative functions to trusted users only, and monitoring for any suspicious activity related to the plugin. Additionally, consider applying web application firewall (WAF) rules to block unauthorized access attempts targeting the plugin's endpoints. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is in a plugin designed for GDPR cookie compliance, and it involves broken access control allowing unauthorized actions. While this could potentially undermine the effectiveness of GDPR compliance measures by allowing unauthorized users to bypass controls, there is no explicit information provided about its direct impact on compliance with GDPR, HIPAA, or other standards. Therefore, the exact effect on compliance with these regulations is not detailed in the provided resources. [1]

Useful 0 Not Useful 0