CVE-2025-12136 MEDIUM

CVE-2025-12136: Real Cookie Banner: GDPR & ePrivacy Cookie Consent <= 5.2.4 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint

Vendor Devowl
Product Real Cookie Banner: GDPR & ePrivacy Cookie Consent
Weakness CWE-918 · SSRF
Published October 24, 2025
Last update April 8, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.

Explanation of Vulnerability in Simple Terms

02Summary

Real Cookie Banner versions up to 5.2.4 contain a server-side request forgery vulnerability that allows high-privilege users to make the site send HTTP requests to arbitrary internal or external systems. An attacker with admin or equivalent access can read sensitive data from internal services or interact with external systems on the site's behalf. The vulnerability affects the scope beyond the plugin itself.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal or external systems and read responses.

Potential impact on your site

04Site Impact

A compromised admin account can be used to access internal services, exfiltrate data, or attack external systems.

Conditions required to exploit

05Prerequisites

Attacker must have high-level admin or equivalent privileges on the site.

Key dates

06Disclosure timeline

October 24, 2025 CVE published
April 8, 2026 Record updated