CVE-2026-12955 in GDPR Cookie Consent Plugininfo

Summary

by MITRE • 07/10/2026

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdpr_cookie_consent_ajax_save_schedule_scan() function (the wp_ajax_gcc_save_schedule_scan AJAX action) in versions up to, and including, 4.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's cookie scan schedule configuration stored in the gdpr_scan_schedule_data option, which is an administrative function intended to be limited to users with the manage_options capability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability exists within the GDPR Cookie Consent plugin for WordPress, specifically affecting versions up to and including 4.3.6. This issue stems from a critical flaw in the plugin's access control mechanisms that allows authenticated attackers with subscriber-level privileges or higher to manipulate administrative settings. The vulnerability is particularly concerning because it undermines the fundamental principle of least privilege by failing to properly validate user permissions before allowing modification of sensitive configuration data.

The technical flaw manifests through the gdpr_cookie_consent_ajax_save_schedule_scan() function which handles the wp_ajax_gcc_save_schedule_scan AJAX action. This function lacks both capability verification and nonce validation, creating a pathway for unauthorized modifications. The absence of proper capability checks means that any user with subscriber-level access or greater can execute this function without proper authorization. Furthermore, the missing nonce verification eliminates protection against cross-site request forgery attacks, making it easier for attackers to exploit this vulnerability through social engineering or by leveraging other compromised user accounts.

The operational impact of this vulnerability extends beyond simple data modification capabilities. Attackers can manipulate the cookie scan schedule configuration stored in the gdpr_scan_schedule_data option, potentially disrupting the plugin's ability to properly monitor and report on website cookies. This could lead to compliance issues with GDPR regulations, as organizations might lose track of their cookie usage monitoring. The vulnerability also creates opportunities for attackers to delay or disable important security scanning functions, potentially leaving websites exposed to cookie-based tracking that could violate privacy regulations.

From a cybersecurity perspective, this vulnerability aligns with CWE-863 (Incorrect Authorization) and represents a clear violation of the principle of least privilege as defined in the MITRE ATT&CK framework. The issue creates a persistent backdoor for attackers who can use this functionality to maintain access while making subtle changes that are difficult to detect. Security professionals should note that this vulnerability is particularly dangerous because it operates through legitimate WordPress AJAX mechanisms, making it harder to distinguish from normal plugin operations.

Organizations should implement immediate mitigations including updating to the latest version of the plugin where this vulnerability has been addressed, implementing additional access controls for WordPress administrators, and monitoring for unusual modifications to plugin configuration settings. The recommended approach involves verifying that all users with administrative capabilities have proper authorization levels and that nonce validation is enforced throughout the plugin's AJAX handling functions. Additionally, regular security audits should include checking for similar missing capability checks in other plugins that handle sensitive administrative functions through AJAX interfaces.

Responsible

Wordfence

Reservation

06/22/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!