CVE-2025-12136
📋 TL;DR
This SSRF vulnerability in the Real Cookie Banner WordPress plugin allows authenticated administrators to make arbitrary HTTP requests from the web server. Attackers can query internal services, potentially accessing sensitive data or performing internal network reconnaissance. Only WordPress sites with the vulnerable plugin installed and administrator accounts are affected.
💻 Affected Systems
- Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, retrieve sensitive data from cloud metadata services, perform internal port scanning, or interact with internal APIs to modify data.
Likely Case
Internal network reconnaissance, accessing internal web services, or retrieving metadata from cloud platforms.
If Mitigated
Limited to internal network access only if proper network segmentation and firewall rules are in place.
🎯 Exploit Status
Requires administrator credentials; exploitation involves crafting HTTP requests to the vulnerable REST endpoint
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.5 or later
Vendor Advisory: https://wordpress.org/plugins/real-cookie-banner/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Real Cookie Banner plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.2.5+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
WordPressRemove or restrict access to the '/scanner/scan-without-login' REST API endpoint
Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'YOUR_SCANNER_CLASS_HERE');
Restrict administrator access
allLimit administrator accounts and implement strong authentication controls
🧯 If You Can't Patch
- Implement network segmentation to isolate WordPress server from internal services
- Deploy web application firewall (WAF) rules to block SSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Real Cookie Banner → Version. If version is 5.2.4 or lower, you are vulnerable.Check Version:
wp plugin list --name='real-cookie-banner' --field=versionVerify Fix Applied:
Confirm plugin version is 5.2.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/real-cookie-banner/v1/scanner/scan-without-login
- HTTP requests from WordPress server to internal IP addresses or metadata services
Network Indicators:
- Outbound HTTP requests from WordPress server to internal network segments or cloud metadata endpoints (169.254.169.254, etc.)
SIEM Query:
source="wordpress.log" AND uri="/wp-json/real-cookie-banner/v1/scanner/scan-without-login" AND method="POST"🔗 References
- https://infosecstuff.com/SSRF-Real-Cookie-Banner
- https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
- https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L210
- https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L223
- https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L48
- https://plugins.trac.wordpress.org/changeset/3378727
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7f559d7f-3faf-4549-b529-f4db03dce2dd?source=cve
