CVE-2025-14061: CWE-862 Missing Authorization in wplegalpages Cookie Banner for GDPR / CCPA – WPLP Cookie Consent
The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID.
AI Analysis
Technical Summary
CVE-2025-14061 is a missing authorization vulnerability (CWE-862) in the WP Cookie Consent plugin for WordPress (wplegalpages project). The issue arises from the lack of a capability check in the gdpr_delete_policy_data function, enabling unauthenticated attackers to permanently delete arbitrary WordPress content by specifying post IDs. This affects all plugin versions up to and including 4.0.7. The vulnerability is remotely exploitable without authentication and requires low attack complexity. The impact is limited to integrity loss (unauthorized deletion) without confidentiality or availability impact. No known exploits in the wild or vendor patches are currently documented.
Potential Impact
An attacker can permanently delete arbitrary posts, pages, attachments, and other post types by ID without authentication. This compromises the integrity of the affected WordPress site content. There is no direct impact on confidentiality or availability according to the CVSS vector. The medium severity reflects the potential for content loss but not system takeover or data disclosure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting access to the plugin's functionality or disabling it if feasible. Monitoring for suspicious deletion activity may help detect exploitation attempts. Avoid exposing the vulnerable plugin to untrusted users or the public internet where possible.
CVE-2025-14061: CWE-862 Missing Authorization in wplegalpages Cookie Banner for GDPR / CCPA – WPLP Cookie Consent
Description
The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14061 is a missing authorization vulnerability (CWE-862) in the WP Cookie Consent plugin for WordPress (wplegalpages project). The issue arises from the lack of a capability check in the gdpr_delete_policy_data function, enabling unauthenticated attackers to permanently delete arbitrary WordPress content by specifying post IDs. This affects all plugin versions up to and including 4.0.7. The vulnerability is remotely exploitable without authentication and requires low attack complexity. The impact is limited to integrity loss (unauthorized deletion) without confidentiality or availability impact. No known exploits in the wild or vendor patches are currently documented.
Potential Impact
An attacker can permanently delete arbitrary posts, pages, attachments, and other post types by ID without authentication. This compromises the integrity of the affected WordPress site content. There is no direct impact on confidentiality or availability according to the CVSS vector. The medium severity reflects the potential for content loss but not system takeover or data disclosure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting access to the plugin's functionality or disabling it if feasible. Monitoring for suspicious deletion activity may help detect exploitation attempts. Avoid exposing the vulnerable plugin to untrusted users or the public internet where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-04T20:05:20.864Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 694254ebbd21432f8e5297c0
Added to database: 12/17/2025, 6:59:55 AM
Last enriched: 4/9/2026, 4:41:55 PM
Last updated: 5/8/2026, 7:54:33 PM
Views: 180
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.