Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
Monthly
Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.
SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.
Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.
SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.