WP Legal Pages WP Cookie Notice CVE-2025-66080
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3.
AnalysisAI
Missing authorization controls in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized modification of cookie consent settings and GDPR compliance configurations. No public exploit code has been identified at time of analysis, though the vulnerability carries a low EPSS score (0.06%, 19th percentile) suggesting minimal real-world exploitation likelihood despite the authorization flaw.
Technical ContextAI
This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to enforce proper authorization checks before allowing sensitive operations. The WP Cookie Notice plugin handles critical GDPR, CCPA, and ePrivacy compliance functions including cookie consent management and notice display configuration. The missing authorization likely affects administrative endpoints or API functions that should be restricted to authenticated users with appropriate roles, but instead are accessible without proper permission validation. The vulnerability exists across plugin versions through 4.0.3, indicating a systemic authorization bypass in the access control layer rather than a single isolated function.
Affected ProductsAI
WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin affects versions from an unspecified baseline through version 4.0.3 inclusive. The plugin is distributed via WordPress.org plugin repository and identified by slug 'gdpr-cookie-consent' (CPE context suggests wordpress-plugin:gdpr-cookie-consent:<=4.0.3). Vulnerability was reported by Patchstack security audit team and documented in the Patchstack WordPress plugin vulnerability database.
RemediationAI
Update WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin to version 4.0.4 or later, which contains the authorization control fixes. Site administrators should access WordPress admin dashboard, navigate to Plugins > Installed Plugins, and select 'Update Now' for this plugin when available. For detailed patch information and verification, consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability-2. Until patching is complete, administrators should audit user roles and capabilities to ensure only appropriately privileged users can access cookie consent settings and GDPR configuration features.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today