CVE-2025-66080 identifies a Missing Authorization vulnerability (CWE-862) in the WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin developed by WP Legal Pages. This plugin is widely used to manage cookie consent banners and compliance with privacy regulations such as GDPR, CCPA, and ePrivacy. The vulnerability arises from incorrectly configured access control mechanisms that fail to properly restrict unauthorized users from performing certain actions within the plugin. Specifically, the flaw allows remote attackers with no privileges and without requiring user interaction to exploit the plugin over the network. While the vulnerability does not compromise confidentiality or integrity of data, it can impact availability by allowing unauthorized changes or disruptions to the cookie notice functionality, potentially affecting website compliance and user experience. The affected versions include all versions up to 4.0.3, with no patch links currently available, indicating that a fix may be pending. The CVSS 3.1 base score is 5.3, indicating medium severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, meaning network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and impact limited to availability. No known exploits have been reported in the wild as of the published date (December 30, 2025).

For European organizations, this vulnerability poses a risk primarily to the availability and proper functioning of cookie consent mechanisms, which are critical for compliance with stringent privacy laws such as GDPR and ePrivacy Directive. Disruption or unauthorized modification of cookie notices can lead to non-compliance, resulting in regulatory fines and reputational damage. Additionally, compromised cookie consent functionality may erode user trust and negatively impact website usability. Since the vulnerability does not affect confidentiality or integrity, direct data breaches are unlikely. However, the availability impact could cause service interruptions or misrepresentation of consent status. Organizations relying on this plugin for legal compliance and user consent management should consider the operational and regulatory risks. The lack of required privileges or user interaction makes exploitation easier, increasing the likelihood of automated or opportunistic attacks if a public exploit emerges.

Organizations should monitor WP Legal Pages’ official channels for patches addressing CVE-2025-66080 and apply updates promptly once available. In the interim, administrators should audit and tighten access controls related to cookie notice management, ensuring that only authorized users can modify cookie consent settings. Implementing web application firewalls (WAF) with rules to detect and block suspicious requests targeting the plugin’s endpoints can reduce exposure. Regularly review plugin configurations and logs for anomalous activity. Consider isolating or restricting access to administrative interfaces managing cookie notices. Additionally, organizations should maintain comprehensive backups and incident response plans to quickly recover from potential disruptions. Educating site administrators about this vulnerability and encouraging minimal plugin usage or alternative solutions with stronger security postures may also reduce risk.