CVE-2025-11754 is a vulnerability classified under CWE-862 (Missing Authorization) found in the GDPR Cookie Consent plugin for WordPress, specifically the WPLP Cookie Consent product. This vulnerability affects all versions up to and including 4.1.2. The root cause is the absence of a capability check on the REST API endpoint 'gdpr/v1/settings', which is intended to provide plugin configuration data. Due to this missing authorization, unauthenticated attackers can send requests to this endpoint and retrieve sensitive plugin settings such as API tokens, email addresses, account IDs, and site keys. These data elements are critical as they can be used to impersonate the site or escalate attacks. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 score of 7.5 reflects a high severity, primarily due to the high confidentiality impact and ease of exploitation. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk to the confidentiality of data managed by the plugin. The lack of a patch link indicates that a fix may not yet be publicly available, underscoring the need for immediate mitigation strategies. The vulnerability is particularly concerning for websites operating under GDPR and CCPA regulations, as exposure of cookie consent settings and related tokens could lead to compliance violations and further compromise.

For European organizations, this vulnerability poses a substantial risk to data confidentiality and regulatory compliance. The unauthorized disclosure of API tokens and account identifiers could enable attackers to manipulate cookie consent settings, potentially bypassing user privacy preferences or injecting malicious scripts. This could lead to violations of GDPR and CCPA regulations, resulting in legal penalties and reputational damage. Additionally, exposed email addresses and site keys may facilitate phishing campaigns or further exploitation of the affected WordPress sites. Since the vulnerability is exploitable without authentication or user interaction, it increases the attack surface significantly, especially for organizations relying on this plugin for cookie consent management. The impact extends beyond individual websites to potentially affect integrated services and user trust. European organizations with high web presence and strict privacy obligations are particularly vulnerable, as failure to secure these endpoints could lead to data breaches and regulatory scrutiny.

Immediate mitigation should focus on restricting access to the vulnerable REST API endpoint 'gdpr/v1/settings'. This can be achieved by implementing web application firewall (WAF) rules that block unauthenticated requests to this endpoint or by configuring server-level access controls to limit exposure. Organizations should monitor their WordPress installations for unusual API requests targeting this endpoint. Until an official patch is released, consider disabling the GDPR Cookie Consent plugin if feasible or replacing it with alternative solutions that enforce proper authorization. Additionally, review and rotate any exposed API tokens or credentials to prevent misuse. Implementing strict logging and alerting on REST API access can help detect exploitation attempts early. Once a patch becomes available, prioritize its deployment across all affected systems. Finally, conduct a thorough audit of cookie consent configurations and related integrations to ensure no unauthorized changes have occurred.