CVE-2026-24604

The Simple GDPR Cookie Compliance plugin for WordPress, up to version 2.0.0, contains a missing authorization vulnerability. The plugin does not properly enforce access control checks, allowing unprivileged users to access or modify functionality that should be restricted to higher-level roles [1]. This is a classic broken access control issue, where functions lack necessary permission or nonce validation.

An attacker with a low-privilege account (e.g., subscriber or contributor) can exploit this flaw. The attack vector is network-accessible through the WordPress admin interface, and no special authentication beyond a basic user role is required [1]. Because the plugin fails to verify capabilities, the attacker can bypass security levels that the developer intended.

The impact includes unauthorized data access or configuration changes, potentially leading to compliance violations or disruption of cookie consent management. The CVSS 5.3 (Medium) reflects the moderate severity due to the need for a user account, but the accessibility and automation risk mean this could be used in mass-exploit campaigns targeting thousands of websites [1].

A patched version 2.0.1 is available, which adds proper authorization checks. Administrators using version 2.0.0 or earlier should update immediately. If updating is not possible, deploying a web application firewall or restricting plugin access via user roles is_admin() checks is a temporary workaround [1].