CVE-2025-66133

What the vulnerability is: The WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (gdpr-cookie-consent) versions up to 4.0.7 contain a missing authorization vulnerability. The plugin fails to properly enforce access controls on certain functions, leading to a broken access control issue [1].

How it is exploited: An attacker with no or low privileges can exploit the missing authorization checks to access higher privileged actions. The vulnerability arises from missing capability or nonce token checks in the plugin's code, allowing an unprivileged user to perform actions intended for administrators [1].

Impact: Successful exploitation may allow an attacker to modify or view sensitive configuration settings related to cookie consent, potentially affecting website compliance with GDPR, CCPA, and ePrivacy regulations. The vulnerability has been noted in mass-exploit campaigns, though its severity is considered low [1].

Mitigation: Users are strongly advised to update to version 4.0.8 or later, which addresses the missing authorization. Patchstack users can enable auto-updates for the plugin to ensure timely patching [1].