CVE-2025-11754 Overview
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gdpr/v1/settings REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Critical Impact
Unauthenticated attackers can exploit this missing authorization vulnerability to extract sensitive configuration data from WordPress sites, potentially compromising API credentials and enabling further attacks.
Affected Products
- GDPR Cookie Consent plugin for WordPress versions up to and including 4.1.2
Discovery Timeline
- 2026-02-19 - CVE CVE-2025-11754 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-11754
Vulnerability Analysis
This vulnerability stems from a missing capability check (CWE-862) on the WordPress REST API endpoint gdpr/v1/settings. REST API endpoints in WordPress plugins should implement proper authorization checks using functions like current_user_can() to verify the requesting user has appropriate permissions before returning sensitive data.
In this case, the vulnerable endpoint returns plugin configuration settings without validating whether the requester is authenticated or has administrative privileges. The exposed data includes API tokens, email addresses, account IDs, and site keys—all of which could be leveraged by attackers for credential theft, phishing campaigns, or to compromise integrated third-party services.
The network-accessible nature of WordPress REST APIs means any unauthenticated remote attacker can exploit this vulnerability simply by making HTTP requests to the vulnerable endpoint.
Root Cause
The root cause is a Missing Authorization vulnerability (CWE-862) in the REST API implementation. The gdpr/v1/settings endpoint fails to implement a proper capability check before returning sensitive plugin configuration data. This oversight allows any unauthenticated user to access administrative settings that should be restricted to authorized WordPress administrators.
The vulnerable code path can be traced to the class-gdpr-cookie-consent-api.php file, which registers the REST API endpoint without proper permission callbacks.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker simply needs to craft an HTTP request to the gdpr/v1/settings REST API endpoint on a vulnerable WordPress installation. The response contains sensitive plugin settings that should be protected.
The attack flow is straightforward:
- Attacker identifies a WordPress site running the vulnerable GDPR Cookie Consent plugin version
- Attacker sends an unauthenticated GET request to /wp-json/gdpr/v1/settings
- The server returns sensitive configuration data including API tokens and credentials
- Attacker uses extracted credentials for further attacks or account compromise
Detection Methods for CVE-2025-11754
Indicators of Compromise
- Unusual or high-volume requests to /wp-json/gdpr/v1/settings from unknown IP addresses
- Access log entries showing unauthenticated requests to GDPR plugin REST API endpoints
- Evidence of credential misuse on third-party services configured within the plugin
Detection Strategies
- Monitor WordPress access logs for requests to gdpr/v1/settings REST API endpoints
- Implement Web Application Firewall (WAF) rules to detect and block unauthorized REST API enumeration
- Use WordPress security plugins to audit REST API endpoint access patterns
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests on production systems
- Set up alerts for burst requests targeting plugin-specific REST API namespaces
- Review server access logs for reconnaissance patterns targeting /wp-json/ endpoints
How to Mitigate CVE-2025-11754
Immediate Actions Required
- Update the GDPR Cookie Consent plugin to version 4.1.3 or later immediately
- Review access logs for any evidence of exploitation attempts
- Rotate any API tokens, credentials, or site keys that may have been exposed through the vulnerable endpoint
- Audit third-party service accounts configured within the plugin for unauthorized access
Patch Information
The vulnerability has been addressed in WordPress Changeset #3443083. Site administrators should update to the latest patched version of the GDPR Cookie Consent plugin through the WordPress admin dashboard or by downloading the updated version from the WordPress plugin repository.
Additional technical details are available in the Wordfence Vulnerability Analysis.
Workarounds
- Temporarily disable the GDPR Cookie Consent plugin until the patch can be applied
- Implement WAF rules to block unauthenticated access to /wp-json/gdpr/v1/settings
- Restrict access to WordPress REST API endpoints at the web server level using IP allowlisting if immediate patching is not possible
# Apache .htaccess workaround to block unauthenticated access to vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/gdpr/v1/settings [NC]
RewriteCond %{HTTP:Authorization} ^$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
