Description
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
Published: 2025-10-24
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (Internal Network Access)
Action: Update Plugin
AI Analysis

Impact

The Real Cookie Banner plugin’s /scanner/scan-without-login endpoint fails to validate the user‑supplied URL parameter. This flaw enables an authenticated administrator or higher‑privileged user to cause the server to fetch any address it can reach, allowing the attacker to scan, read or modify internal network resources. The resulting data disclosure or alteration compromises confidentiality, integrity and, in some scenarios, availability of services behind the WordPress host.

Affected Systems

The vulnerability is present in all releases of the devowl Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress up to and including version 5.2.4.

Risk and Exploitability

With a CVSS score of 6.8 the issue is considered medium severity, and the EPSS score of less than 1 % indicates a low probability of exploitation at present. The flaw requires administrative authentication, but once accessed it gives the attacker the ability to issue arbitrary HTTP requests from the host, potentially exposing internal resources. The vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation has been reported yet.

Generated by OpenCVE AI on April 22, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Real Cookie Banner to the latest version that contains the SSRF fix.
  • Disable the /scanner/scan-without-login REST endpoint for non‑admin users or remove it if not required.
  • Add network segmentation or firewall rules to block outbound requests from the WordPress server to internal IP ranges that the plugin does not need to reach.

Generated by OpenCVE AI on April 22, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Devowl
Devowl wordpress Real Cookie Banner
Wordpress
Wordpress wordpress
Vendors & Products Devowl
Devowl wordpress Real Cookie Banner
Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
Title Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Devowl Wordpress Real Cookie Banner
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:20.990Z

Reserved: 2025-10-23T21:10:37.522Z

Link: CVE-2025-12136

cve-icon Vulnrichment

Updated: 2025-10-24T12:10:40.445Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T10:15:38.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses