The GDPR Cookie Consent plugin for WordPress implements a REST API endpoint at /wp-json/gdpr/v1/settings that should be protected by a capability check. In all affected releases up to and including version 4.1.2 the plugin fails to verify that the requester has permission to access configuration settings. Consequently any user—authenticated or not—can retrieve the plugin’s configuration, which contains API tokens, email addresses, account identifiers, and site keys. This leakage allows an attacker to compromise third‑party integrations and potentially gain unauthorized access to services linked to those credentials, leading to a breach of confidentiality and resources used by the site.

All WordPress sites running the WPLP Cookie Consent plugin version 4.1.2 or earlier are vulnerable. The plugin, named Cookie Banner for GDPR / CCPA – WPLP Cookie Consent, is distributed through the WordPress plugin repository and can be installed on any standard WordPress installation.

The CVSS score of 7.5 indicates significant severity, while the EPSS score of less than 1% suggests that widespread exploitation is currently not common but still possible. The issue is not listed in the CISA KEV catalog. The attack can be carried out from a remote web request to the exposed REST endpoint without authentication, making the vulnerability trivial to exploit for an attacker who can reach the site. Successful exploitation reveals sensitive configuration data that could enable further attacks such as credential stuffing or service takeover.