CVE-2025-66080

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3.

Analysis

Missing authorization controls in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized modification of cookie consent settings and GDPR compliance configurations. No public exploit code has been identified at time of analysis, though the vulnerability carries a low EPSS score (0.06%, 19th percentile) suggesting minimal real-world exploitation likelihood despite the authorization flaw.

Technical Context

This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to enforce proper authorization checks before allowing sensitive operations. The WP Cookie Notice plugin handles critical GDPR, CCPA, and ePrivacy compliance functions including cookie consent management and notice display configuration. The missing authorization likely affects administrative endpoints or API functions that should be restricted to authenticated users with appropriate roles, but instead are accessible without proper permission validation. The vulnerability exists across plugin versions through 4.0.3, indicating a systemic authorization bypass in the access control layer rather than a single isolated function.

Affected Products

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin affects versions from an unspecified baseline through version 4.0.3 inclusive. The plugin is distributed via WordPress.org plugin repository and identified by slug 'gdpr-cookie-consent' (CPE context suggests wordpress-plugin:gdpr-cookie-consent:<=4.0.3). Vulnerability was reported by Patchstack security audit team and documented in the Patchstack WordPress plugin vulnerability database.

Remediation

Update WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin to version 4.0.4 or later, which contains the authorization control fixes. Site administrators should access WordPress admin dashboard, navigate to Plugins > Installed Plugins, and select 'Update Now' for this plugin when available. For detailed patch information and verification, consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability-2. Until patching is complete, administrators should audit user roles and capabilities to ensure only appropriately privileged users can access cookie consent settings and GDPR configuration features.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-66080 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy