GDPR Cookie Consent <= 2.6.0 - Bulk Delete via CSRF

An attacker crafts a malicious link or form that, when visited by a logged-in admin, triggers a bulk action (e.g., deleting visit logs) without the admin's consent [ref_id=1]. The plugin's bulk action endpoints lack CSRF tokens, so the forged request is processed as if the admin intended it [CWE-352]. The attack requires no special network position beyond the ability to deliver the crafted payload to the victim admin (e.g., via email, social engineering, or a cross-site request from another site).

The advisory does not specify exact file paths or function names [ref_id=1]. The vulnerability exists in the bulk action handlers of the webtoffee-gdpr-cookie-consent plugin prior to version 2.6.1, where CSRF checks are absent.

The advisory states the vulnerability is fixed in version 2.6.1 [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve adding CSRF nonce verification to the bulk action handlers that were missing it. The fix ensures that any state-changing bulk request includes a valid nonce tied to the admin's session, preventing attackers from forging those requests.

The advisory's proof of concept is not reproduced in the bundle [ref_id=1]. However, a typical CSRF attack would involve crafting a form that submits to the plugin's bulk delete endpoint and hosting it on an attacker-controlled page, then luring an admin to visit that page.