Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
GDPR Cookie Consent Plugin Exposes Sensitive Data on WordPress
CVE-2025-11754
Summary
An attacker without WordPress login can access sensitive settings, including API tokens and email addresses, in the GDPR Cookie Consent plugin. This affects all versions up to 4.1.2. Update the plugin to the latest version to fix this issue.
Original title
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and in...
Original description
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
nvd CVSS3.1
7.5
Vulnerability type
CWE-862
Missing Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026