Skip to main content

WP Legal Pages WP Cookie Notice CVE-2025-66080

MEDIUM
Missing Authorization (CWE-862)
2025-12-30 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3.

AnalysisAI

Missing authorization controls in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized modification of cookie consent settings and GDPR compliance configurations. No public exploit code has been identified at time of analysis, though the vulnerability carries a low EPSS score (0.06%, 19th percentile) suggesting minimal real-world exploitation likelihood despite the authorization flaw.

Technical ContextAI

This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to enforce proper authorization checks before allowing sensitive operations. The WP Cookie Notice plugin handles critical GDPR, CCPA, and ePrivacy compliance functions including cookie consent management and notice display configuration. The missing authorization likely affects administrative endpoints or API functions that should be restricted to authenticated users with appropriate roles, but instead are accessible without proper permission validation. The vulnerability exists across plugin versions through 4.0.3, indicating a systemic authorization bypass in the access control layer rather than a single isolated function.

Affected ProductsAI

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin affects versions from an unspecified baseline through version 4.0.3 inclusive. The plugin is distributed via WordPress.org plugin repository and identified by slug 'gdpr-cookie-consent' (CPE context suggests wordpress-plugin:gdpr-cookie-consent:<=4.0.3). Vulnerability was reported by Patchstack security audit team and documented in the Patchstack WordPress plugin vulnerability database.

RemediationAI

Update WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin to version 4.0.4 or later, which contains the authorization control fixes. Site administrators should access WordPress admin dashboard, navigate to Plugins > Installed Plugins, and select 'Update Now' for this plugin when available. For detailed patch information and verification, consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability-2. Until patching is complete, administrators should audit user roles and capabilities to ensure only appropriately privileged users can access cookie consent settings and GDPR configuration features.

Share

CVE-2025-66080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy