Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12920

CVE-2026-12920: WPLP Cookie Consent Plugin SQLi Flaw

CVE-2026-12920 is a SQL injection vulnerability in the WPLP Cookie Consent plugin for WordPress that allows admin-level attackers to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12920 Overview

CVE-2026-12920 is a SQL Injection vulnerability affecting the Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress. The flaw exists in all versions up to and including 4.3.5. The plugin fails to escape the s parameter and does not adequately prepare the underlying SQL statement. Authenticated attackers with administrator-level access can append additional SQL queries to the existing query and extract sensitive data from the WordPress database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Authenticated administrators can extract confidential information stored in the WordPress database, including user records, hashed credentials, and site configuration data.

Affected Products

  • Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress
  • All versions up to and including 4.3.5
  • WordPress sites running the vulnerable plugin with administrator accounts exposed

Discovery Timeline

  • 2026-07-03 - CVE-2026-12920 published to the National Vulnerability Database
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-12920

Vulnerability Analysis

The vulnerability resides in the plugin's data request administration table, implemented in admin/data-req/class-wpl-data-req-table.php. The affected code handles the s search parameter used to filter data subject requests within the admin dashboard. According to the WordPress plugin source, the s value is concatenated directly into the query without proper preparation. Because prepared statements are not used, attacker-controlled input becomes part of the executable SQL string. An authenticated administrator can therefore inject additional clauses and exfiltrate data via UNION-based or boolean-based techniques. The published EPSS estimate places exploitation likelihood at 0.301%.

Root Cause

The root cause is insufficient escaping of the s parameter combined with the absence of parameterized query preparation using $wpdb->prepare(). The vulnerable code appears at multiple locations, including line 322, 377, 492, and 513 of class-wpl-data-req-table.php. Each location constructs a query fragment by embedding untrusted input.

Attack Vector

The attack is delivered over the network through the WordPress administrative interface. The attacker must already hold administrator privileges, which limits the practical population of exploiters to compromised or malicious admin accounts. Once authenticated, the attacker submits a crafted s search value to the data request table endpoint. The injected SQL is executed with the privileges of the WordPress database user, allowing extraction of arbitrary table contents.

Refer to the Wordfence Vulnerability Report for additional technical detail.

Detection Methods for CVE-2026-12920

Indicators of Compromise

  • Unexpected UNION SELECT, SLEEP(, INFORMATION_SCHEMA, or comment sequences such as -- in HTTP request parameters targeting wp-admin endpoints associated with the plugin.
  • Anomalous administrator activity accessing the GDPR data request table with unusually long or encoded s query parameters.
  • Database error entries in PHP or MySQL logs referencing class-wpl-data-req-table.php.

Detection Strategies

  • Inspect WordPress access logs for requests to the plugin's admin pages containing SQL metacharacters in the s parameter.
  • Deploy a web application firewall ruleset that flags SQL injection patterns against /wp-admin/ requests referencing the plugin slug gdpr-cookie-consent.
  • Correlate administrator session activity with database query volume to surface bulk data extraction attempts.

Monitoring Recommendations

  • Enable MySQL general or slow query logging on affected sites and monitor for queries originating from the plugin that reference tables outside its expected scope.
  • Track WordPress admin login sources and alert on new IPs, geolocations, or user agents for privileged accounts.
  • Baseline expected s parameter values and alert on outliers exceeding typical length or containing SQL keywords.

How to Mitigate CVE-2026-12920

Immediate Actions Required

  • Update the WPLP Cookie Consent plugin to a version later than 4.3.5 as soon as the vendor releases a patched release.
  • Audit all WordPress administrator accounts and remove any that are unused, and enforce multi-factor authentication on remaining privileged accounts.
  • Review recent access logs for the plugin's data request pages to identify any prior exploitation attempts.

Patch Information

The vendor committed a fix referenced in the WordPress plugin changeset 3593450 for the gdpr-cookie-consent repository. Administrators should apply the patched release from the WordPress plugin directory once available.

Workarounds

  • Temporarily deactivate the WPLP Cookie Consent plugin until a patched version is installed.
  • Restrict access to /wp-admin/ by IP allowlist at the reverse proxy or web server layer to reduce exposure of authenticated endpoints.
  • Apply a WAF rule that blocks SQL metacharacters in the s parameter for requests targeting the plugin's admin pages.
bash
# Example NGINX rule to restrict access to WordPress admin by source IP
location ^~ /wp-admin/ {
    allow 203.0.113.0/24;
    deny all;
    try_files $uri $uri/ /index.php?$args;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.