CVE-2025-51529 is a medium-severity vulnerability affecting the 'jonkastonka Cookies and Content Security Policy' WordPress plugin up to version 2.29. The vulnerability arises from incorrect access control in the AJAX endpoint functionality, specifically the wp_ajax_nopriv_cacsp_insert_consent_data endpoint. This endpoint is accessible without authentication (as indicated by 'nopriv'), allowing remote attackers to invoke it without any privileges. The flaw permits attackers to perform unlimited database write operations, leading to resource exhaustion on the database server. This results in a denial of service (DoS) condition, where the backend database becomes overwhelmed and unable to process legitimate requests. The vulnerability is classified under CWE-284 (Improper Access Control), highlighting that the plugin fails to restrict access properly to sensitive operations. The CVSS v3.1 base score is 5.3, reflecting a medium impact primarily on confidentiality with no direct impact on integrity or availability according to the vector, although the described DoS effect impacts availability indirectly. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability does not require user interaction or privileges, making it easier to exploit remotely over the network.

For European organizations using WordPress websites with the jonkastonka Cookies and Content Security Policy plugin (version 2.29 or earlier), this vulnerability poses a risk of service disruption due to database resource exhaustion. Such denial of service can degrade website availability, impacting user experience, e-commerce operations, and potentially causing reputational damage. Organizations handling sensitive user consent data under GDPR may face compliance risks if the service disruption affects their ability to manage or log consent properly. While the vulnerability does not directly compromise data confidentiality or integrity, the resulting downtime could interrupt critical business processes and customer interactions. The impact is more pronounced for high-traffic websites or those relying heavily on database-backed consent management. Since the exploit requires no authentication or user interaction, attackers can easily automate attacks, increasing the risk of widespread disruption.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations to identify the presence of the jonkastonka Cookies and Content Security Policy plugin version 2.29 or earlier. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implementing web application firewall (WAF) rules to restrict or rate-limit access to the wp_ajax_nopriv_cacsp_insert_consent_data endpoint can help prevent abuse by limiting the number of requests from a single IP or blocking suspicious traffic patterns. Monitoring database performance and setting thresholds for write operations can provide early detection of potential exploitation attempts. Additionally, applying strict access control policies on the server and database layers, such as limiting database user permissions and isolating the database server, can reduce the impact of resource exhaustion. Organizations should stay alert for official patches or updates from the plugin vendor and apply them promptly once available.