CVE-2026-4019 Overview
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress contains an unauthorized data access vulnerability affecting all versions up to and including 7.4.5. This REST API vulnerability allows unauthenticated attackers to access content from private, draft, or unpublished posts through the /wp-json/complianz/v1/consent-area/{post_id}/{block_id} endpoint due to improper permission validation.
Critical Impact
Unauthenticated attackers can read sensitive consent area block content from private, draft, or unpublished WordPress posts, potentially exposing confidential information before it's intended for public release.
Affected Products
- Complianz – GDPR/CCPA Cookie Consent plugin for WordPress versions up to and including 7.4.5
Discovery Timeline
- 2026-04-29 - CVE-2026-4019 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-4019
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization). The core issue lies in the REST API endpoint registration where the permission_callback parameter is set to __return_true, a WordPress function that always returns true without performing any actual authorization checks.
The vulnerable function cmplz_rest_consented_content() retrieves posts by ID using WordPress's get_post() function and returns the consentedContent attribute from any complianz/consent-area block found within the post. The critical flaw is that this function does not verify:
- Whether the requesting user has permission to access the post
- Whether the post is published or in a protected state (draft, private, pending review)
This allows any unauthenticated user to enumerate post IDs and extract consent area block content from posts that should not be publicly accessible.
Root Cause
The root cause is the use of __return_true as the permission_callback in the REST API route registration. This effectively bypasses WordPress's built-in permission system, making the endpoint accessible to anyone without authentication. The subsequent get_post() call retrieves content regardless of post status or visibility settings, compounding the authorization failure.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by making direct HTTP requests to the REST API endpoint:
The vulnerable endpoint follows the pattern /wp-json/complianz/v1/consent-area/{post_id}/{block_id}. An attacker can enumerate post IDs by iterating through numeric values and checking for valid responses. When a post exists and contains a complianz/consent-area block, the API returns the consentedContent attribute regardless of the post's publication status. This allows extraction of content from draft posts (unpublished content), private posts (restricted visibility), scheduled posts (future publication), and password-protected posts. For technical implementation details, see the WordPress Plugin File and GitHub Code Reference.
Detection Methods for CVE-2026-4019
Indicators of Compromise
- Unusual volume of requests to /wp-json/complianz/v1/consent-area/ endpoints
- Sequential or enumerated post ID patterns in REST API requests
- Requests to consent-area endpoints from unauthenticated sources accessing draft or private post IDs
- HTTP 200 responses for consent-area requests that should return authorization errors
Detection Strategies
- Monitor web server access logs for repeated requests to the Complianz REST API endpoint with varying post IDs
- Implement Web Application Firewall (WAF) rules to detect and alert on enumeration attempts against the consent-area endpoint
- Review WordPress REST API audit logs for unauthenticated access patterns to Complianz endpoints
Monitoring Recommendations
- Configure alerting for high-frequency requests to /wp-json/complianz/v1/consent-area/ paths
- Monitor for successful responses to REST API requests from IP addresses without associated authenticated sessions
- Implement rate limiting on REST API endpoints to slow enumeration attempts
How to Mitigate CVE-2026-4019
Immediate Actions Required
- Update the Complianz – GDPR/CCPA Cookie Consent plugin to version 7.4.6 or later immediately
- Review access logs for potential prior exploitation of the vulnerable endpoint
- Audit any sensitive content stored in draft or private posts with consent-area blocks for potential exposure
Patch Information
The vulnerability has been patched in Complianz version 7.4.6. The fix implements proper authorization checks in the REST API endpoint's permission_callback to verify user permissions before returning post content. For details on the code changes, see the WordPress Changeset and the Version Comparison. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- If immediate patching is not possible, temporarily disable the Complianz plugin until the update can be applied
- Implement WAF rules to block unauthenticated requests to /wp-json/complianz/v1/consent-area/ endpoints
- Restrict REST API access at the server level using IP allowlisting for administrative functions
# Nginx configuration to block unauthenticated access to vulnerable endpoint
location ~* /wp-json/complianz/v1/consent-area/ {
# Block requests without valid WordPress authentication cookie
if ($http_cookie !~* "wordpress_logged_in") {
return 403;
}
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
