CVE-2025-11754
📋 TL;DR
The GDPR Cookie Consent WordPress plugin has an unauthenticated REST API vulnerability that allows attackers to retrieve sensitive plugin settings without authentication. This affects all WordPress sites using plugin versions up to 4.1.2. Attackers can access API tokens, email addresses, account IDs, and site keys.
💻 Affected Systems
- WordPress GDPR Cookie Consent plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain API tokens and site keys, potentially enabling account takeover, data exfiltration, or using compromised credentials for further attacks against integrated services.
Likely Case
Attackers harvest sensitive plugin configuration data including email addresses and account IDs, which could be used for phishing, reconnaissance, or credential stuffing attacks.
If Mitigated
With proper network segmentation and API gateway controls, impact is limited to information disclosure of plugin settings only.
🎯 Exploit Status
Simple HTTP GET request to /wp-json/gdpr/v1/settings endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3443083
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'GDPR Cookie Consent' and click 'Update Now'. 4. Verify version is 4.1.3 or higher.
🔧 Temporary Workarounds
Disable vulnerable REST API endpoint
allAdd code to functions.php to remove the vulnerable endpoint
add_filter('rest_endpoints', function($endpoints) { if (isset($endpoints['/gdpr/v1/settings'])) { unset($endpoints['/gdpr/v1/settings']); } return $endpoints; });
Block API endpoint via .htaccess
linuxAdd rewrite rule to block access to the vulnerable endpoint
RewriteEngine On
RewriteRule ^wp-json/gdpr/v1/settings - [F,L]
🧯 If You Can't Patch
- Disable the GDPR Cookie Consent plugin entirely
- Implement WAF rules to block requests to /wp-json/gdpr/v1/settings endpoint
🔍 How to Verify
Check if Vulnerable:
Send GET request to https://your-site.com/wp-json/gdpr/v1/settings. If it returns plugin settings without authentication, you're vulnerable.Check Version:
wp plugin list --name='GDPR Cookie Consent' --field=versionVerify Fix Applied:
After update, the same GET request should return 401/403 error or empty response.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to GET /wp-json/gdpr/v1/settings from unauthenticated IPs
- Unusual access patterns to REST API endpoints
Network Indicators:
- Unusual traffic to /wp-json/gdpr/v1/settings endpoint
- GET requests to plugin API from suspicious IPs
SIEM Query:
source="web_logs" AND uri_path="/wp-json/gdpr/v1/settings" AND http_method="GET" AND NOT (user_agent CONTAINS "bot" OR user_agent CONTAINS "crawl")