CVE-2025-11754
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Access in GDPR Cookie Consent Plugin via REST API

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11754
EUVD
EUVD-2025-207892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webtoffee gdrp_cookie_consent to 4.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The GDPR Cookie Consent plugin for WordPress has a vulnerability due to a missing capability check on its REST API endpoint 'gdpr/v1/settings' in all versions up to and including 4.1.2."}, {'type': 'paragraph', 'content': 'This flaw allows unauthenticated attackers to access sensitive plugin settings without proper authorization.'}, {'type': 'paragraph', 'content': 'Specifically, attackers can retrieve sensitive data such as API tokens, email addresses, account IDs, and site keys by exploiting this endpoint.'}, {'type': 'paragraph', 'content': "The underlying issue is that the permission check relies only on the presence of a 'token' parameter and a platform string match ('wordpress'), without validating the token's authenticity or scope, which can be bypassed."}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.

An attacker gaining access to these details could potentially misuse API tokens or other credentials to further compromise the website or related services.

Since the vulnerability allows unauthenticated access, it increases the risk of data exposure without requiring any prior access or authentication.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable REST API endpoint without proper authentication and observing if sensitive plugin settings are returned.

Specifically, you can send an HTTP POST request to the endpoint `/wp-json/gdpr/v1/settings` on your WordPress site and check if it returns sensitive data such as API tokens, email addresses, account IDs, and site keys without valid authorization.

A sample command using curl to test this would be:

  • curl -X POST https://your-wordpress-site.com/wp-json/gdpr/v1/settings

If the response contains sensitive plugin settings without requiring valid tokens or proper permissions, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to update the GDPR Cookie Consent plugin to version 4.1.3 or later, where this vulnerability has been addressed.

Until the update can be applied, restrict access to the vulnerable REST API endpoint by implementing firewall rules or access controls that block unauthenticated requests to `/wp-json/gdpr/v1/settings`.

Additionally, review and limit exposure of sensitive plugin settings and tokens in your environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart