CVE-2025-66075 MEDIUM

CVE-2025-66075: WordPress WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin <= 4.0.3 - Broken Access Control vulnerability

Vendor Wp Legal Pages
Product WP Cookie Notice for GDPR, CCPA & ePrivacy Consent
Weakness CWE-862 · Missing authorization
Published November 21, 2025
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3.

Explanation of Vulnerability in Simple Terms

02Summary

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent versions 4.0.3 and earlier lack proper authorization checks. A logged-in user with low privileges can trigger a denial-of-service condition by making requests that degrade site availability. The vulnerability does not expose sensitive data or allow unauthorized modifications.

What an attacker can do

03Attacker Capabilities

A low-privilege logged-in user can make requests that degrade site availability.

Potential impact on your site

04Site Impact

Site availability may be degraded if a low-privilege user exploits this vulnerability.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the WordPress site.

Key dates

06Disclosure timeline

November 21, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE