The Simple GDPR Cookie Compliance plugin suffers from a missing authorization flaw that allows attackers to bypass access controls and manipulate or view cookie‑compliance settings. This broken access control can enable unauthorized configuration changes, potentially exposing cookie handling logic and user preferences to unauthenticated or improperly authorized users. The vulnerability is classified as CWE‑862, indicating an authority bypass that could affect confidentiality and integrity of site configuration data.

The affected component is the WordPress plugin Simple GDPR Cookie Compliance by themebeez, versions from the earliest release through 2.0.0 inclusive. Any site using an instance of this plugin up to and including version 2.0.0 is potentially impacted.

The CVSS score of 5.3 reflects a medium severity level, while an EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to target a site where the plugin is active and attempt to access or modify configuration endpoints that lack proper authorization. The risk is moderate; however, because the flaw provides unauthorized administrative access within the plugin, it could be leveraged to influence site behavior or bypass privacy controls.