CVE-2026-4304
Deferred Deferred - Pending Action
SQL Injection in WeePie Cookie Allow WordPress Plugin

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
N/A
NVD
CVE-2026-4304
EUVD
EUVD-2026-27329
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weepieplugins wee_pie_cookie_allow_plugin to 3.4.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The WeePie Cookie Allow plugin for WordPress has a vulnerability known as SQL Injection via the 'consent' parameter in all versions up to and including 3.4.11. This happens because the plugin does not properly escape user-supplied input and does not sufficiently prepare the existing SQL query. As a result, unauthenticated attackers can append additional SQL queries to the existing ones, potentially extracting sensitive information from the database.


How can this vulnerability impact me? :

This vulnerability can allow unauthenticated attackers to extract sensitive information from your website's database by injecting malicious SQL queries through the 'consent' parameter. This could lead to data breaches, exposing user data or other confidential information stored in the database.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The WeePie Cookie Allow plugin is designed to help manage cookie consent for GDPR and CCPA compliance. However, the SQL Injection vulnerability could undermine this purpose by allowing attackers to bypass cookie consent mechanisms or extract sensitive data, potentially leading to non-compliance with regulations such as GDPR and HIPAA that require protection of personal data and user consent.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-4304 vulnerability in the WeePie Cookie Allow plugin, you should immediately update the plugin to version 3.4.12 or later, as this version contains the fix for the SQL Injection issue.

Updating the plugin ensures that the insufficient escaping and lack of preparation on the 'consent' parameter in SQL queries are resolved, preventing unauthenticated attackers from exploiting the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart