CVE-2026-12920 in Cookie Banner for GDPR CCPA Plugin
Summary
by MITRE • 07/03/2026
The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 4.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability exists within the WPLP Cookie Consent plugin for WordPress, specifically affecting versions through 4.3.5, and represents a critical generic SQL injection flaw that undermines database security. The vulnerability stems from inadequate input sanitization where the 's' parameter received from user input is not properly escaped before being incorporated into SQL queries. This weakness allows attackers to manipulate existing database operations by injecting malicious SQL code that can be executed alongside legitimate queries.
The technical implementation of this vulnerability aligns with CWE-89, which categorizes improper neutralization of special elements used in an SQL command as a fundamental flaw in database query construction. The plugin fails to employ prepared statements or adequate parameterization techniques, creating an environment where attacker-controlled input can directly influence the structure of SQL operations. This lack of proper input validation and sanitization enables what is known as SQL injection attacks that can be exploited to manipulate database contents.
The operational impact of this vulnerability is particularly severe given that it requires only administrator-level access or higher to exploit, making it accessible to authenticated attackers who already possess elevated privileges within the WordPress environment. Once exploited, the malicious SQL queries can extract sensitive information from the database including user credentials, configuration settings, and other confidential data stored within the WordPress installation. The attacker can leverage this capability to gain deeper insights into the system architecture and potentially escalate their access further.
Attackers utilizing this vulnerability could employ techniques aligned with ATT&CK matrix tactics such as credential access and privilege escalation, by extracting database contents that reveal additional attack vectors or sensitive information for lateral movement. The exploitation process typically involves crafting SQL injection payloads that manipulate the existing query structure to return desired data, potentially including administrative user credentials stored in the WordPress database. This makes the vulnerability particularly dangerous for organizations relying on WordPress for their web presence.
The recommended mitigations include immediate upgrade to the patched version of the WPLP Cookie Consent plugin, which addresses the SQL injection vulnerability through proper input sanitization and parameterization techniques. Organizations should also implement comprehensive input validation measures across all user-supplied parameters and ensure that prepared statements are used for all database interactions. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify and remediate similar vulnerabilities before they can be exploited by malicious actors.