What the vulnerability does
01Description
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Explanation of Vulnerability in Simple Terms
02Summary
The Cookie Banner for GDPR / CCPA plugin through version 4.1.2 fails to properly restrict access to sensitive functions. An unauthenticated attacker can read cookie consent data and user preferences without authorization. This affects all installations of the plugin up to the latest tested version.
What an attacker can do
03Attacker Capabilities
Read cookie consent settings and user preference data without logging in.
Potential impact on your site
04Site Impact
Visitor cookie preferences and consent records are exposed to anyone who knows how to request them.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 8, 2026
Record updated