CVE-2025-48260
Description
The WordPress GDPR CCPA Compliance Support plugin <=2.7.3 has a missing authorization vulnerability allowing unprivileged attackers to exploit incorrect access control.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WordPress GDPR CCPA Compliance Support plugin <=2.7.3 has a missing authorization vulnerability allowing unprivileged attackers to exploit incorrect access control.
The GDPR CCPA Compliance Support plugin for WordPress, version 2.7.3 and earlier, contains a missing authorization vulnerability. This broken access control issue occurs because certain functions lack proper permission checks, allowing users without the required privileges to perform actions intended for higher-level roles. [1]
An attacker can exploit this vulnerability without authentication or with minimal privileges by sending specially crafted requests to the affected plugin endpoints. The attack surface is broad, as the plugin is widely used, and exploitation does not require any special network access beyond being able to reach the WordPress site. [1]
Successful exploitation enables an unprivileged attacker to execute actions reserved for authorized users, such as modifying plugin settings or accessing sensitive data. This could lead to data exposure, site misconfiguration, or further compromise of the WordPress installation. [1]
The vendor has addressed the issue in version 2.7.4. Users are strongly advised to update immediately. While the CVSS score is 4.3 (Medium), the vulnerability is known to be targeted in mass exploit campaigns, making timely patching critical. [1]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.7.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.