Description
The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID.
Published: 2025-12-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of arbitrary posts, pages, and attachments
Action: Apply Patch
AI Analysis

Impact

The WordPress plugin misimplements the gdpr_delete_policy_data function by omitting a capability check, allowing an unauthenticated user to trigger permanent deletion of any post, page, or attachment by supplying its ID. This flaw is classified as a missing authorization weakness (CWE-862), leading to integrity loss of site content and potentially site disruption.

Affected Systems

The vulnerability affects the wplegalpages "Cookie Banner for GDPR / CCPA – WPLP Cookie Consent" plugin up to and including version 4.0.7. Any installation of this plugin before the fix is susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. An EPSS score of less than 1% points to a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector involves an unauthenticated HTTP request targeting the vulnerable function, passing the identifier of any desired post type for deletion.

Generated by OpenCVE AI on April 22, 2026 at 00:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Cookie Consent plugin to the latest version that includes the missing capability check.
  • If an update is not immediately possible, disable the plugin or the gdpr_delete_policy_data endpoint to block unauthenticated deletion attempts.
  • As a temporary fix, inspect the plugin code and introduce an explicit capability check (for example, require the current user to have the "manage_options" capability) before executing any deletion logic.

Generated by OpenCVE AI on April 22, 2026 at 00:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wplegalpages
Wplegalpages wp Cookie Consent
Vendors & Products Wordpress
Wordpress wordpress
Wplegalpages
Wplegalpages wp Cookie Consent

Wed, 17 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID.
Title Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.0.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wplegalpages Wp Cookie Consent
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:48.101Z

Reserved: 2025-12-04T20:05:20.864Z

Link: CVE-2025-14061

cve-icon Vulnrichment

Updated: 2025-12-17T21:34:28.974Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T07:15:58.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses