What the vulnerability does
01Description
Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3.
Explanation of Vulnerability in Simple Terms
02Summary
WP Cookie Notice for GDPR, CCPA & ePrivacy Consent versions 4.0.3 and earlier lack proper authorization checks. A logged-in user with low privileges can trigger a denial-of-service condition by making requests that degrade site availability. The vulnerability does not expose sensitive data or allow unauthorized modifications.
What an attacker can do
03Attacker Capabilities
A low-privilege logged-in user can make requests that degrade site availability.
Potential impact on your site
04Site Impact
Site availability may be degraded if a low-privilege user exploits this vulnerability.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
November 21, 2025
CVE published
April 28, 2026
Record updated