Description
Cross-Site Request Forgery (CSRF) vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Cross Site Request Forgery.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 3.8.0.
Published: 2025-06-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw present in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent up to version 3.8.0 that allows an attacker to forge a state‑changing request. An unauthorized user could modify consent settings or other configuration values without the site administrator’s approval, potentially leading to incorrect cookie declarations and compliance issues.

Affected Systems

The flaw affects the WordPress plugin WP Cookie Notice for GDPR, CCPA & ePrivacy Consent, distributed by WP Legal Pages. It impacts all versions from the earliest released through 3.8.0.

Risk and Exploitability

With a CVSS score of 4.3 and an EPSS of <1 %, the vulnerability is moderate in severity but has a low exploitation probability. It is not listed in the CISA KEV catalog. The attack vector typically requires an ability to send a forged HTTP request to the target, often from an authenticated user or a third‑party site, to trigger a configuration change within the plugin. The conditions for exploitation are minimal, making the threat realistic albeit unlikely.

Generated by OpenCVE AI on April 30, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Cookie Notice for GDPR, CCPA & ePrivacy Consent to the latest version that removes the CSRF flaw (3.9 or newer).
  • If an update is not yet available, restrict the plugin’s administrative capabilities to a minimal set of trusted users and disable any unused settings that can be changed via forged requests.
  • Implement site‑wide CSRF protection by ensuring all state‑changing requests include a valid nonce and enforce HTTPS to prevent man‑in‑the‑middle tampering.

Generated by OpenCVE AI on April 30, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17276 Cross-Site Request Forgery (CSRF) vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Cross Site Request Forgery. This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 3.8.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Cross Site Request Forgery. This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 3.8.0. Cross-Site Request Forgery (CSRF) vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Cross Site Request Forgery.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 3.8.0.
Title WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 3.8.0 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin <= 3.8.0 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 06 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Cross Site Request Forgery. This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 3.8.0.
Title WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 3.8.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.200Z

Reserved: 2025-06-04T09:41:43.867Z

Link: CVE-2025-49285

cve-icon Vulnrichment

Updated: 2025-06-06T18:59:32.952Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:44.150

Modified: 2026-04-23T15:31:23.563

Link: CVE-2025-49285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:15:36Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)