Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Admin panel is network-accessible (AV:N), but PR:H reflects mandatory administrator credentials; SQL injection yields database reads only, so I:N and A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Cookie Banner for GDPR / CCPA - WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 4.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account holding administrator-level privileges or higher (PR:H per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.9 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the primary tension in this vulnerability: the network-accessible attack surface and high confidentiality impact are substantially offset by the administrator-level privilege requirement (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained WordPress administrator credentials - through phishing, credential stuffing, or insider threat - logs into the WP Admin panel and navigates to the GDPR data-request management table provided by the plugin. The attacker appends a SQL UNION SELECT payload to the 's' search parameter (e.g., injecting into the query at lines 322, 377, 492, or 513 of class-wpl-data-req-table.php), extracting sensitive records such as WordPress user hashes, email addresses, or stored PII from the database without triggering visible application errors. … |
| Remediation | A code fix was committed to the plugin's WordPress Subversion repository under changeset 3593450 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3593450%40gdpr-cookie-consent&new=3593450%40gdpr-cookie-consent); however, the exact patched release version is not independently confirmed from available data - administrators should consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/572bfa82-92f5-4801-8710-0626ca563a6c and the WordPress plugin directory to identify the first released version incorporating this changeset, then upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.
Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41469
GHSA-64rj-8mhx-6c97