The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdpr_cookie_consent_ajax_save_schedule_scan() function (the wp_ajax_gcc_save_schedule_scan AJAX action) in versions up to, and including, 4.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's cookie scan schedule configuration stored in the gdpr_scan_schedule_data option, which is an administrative function intended to be limited to users with the manage_options capability.
Project Subscriptions
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 10 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wordpress
Wordpress wordpress Wplegalpages Wplegalpages cookie Banner For Gdpr / Ccpa – Wplp Cookie Consent |
|
| Vendors & Products |
Wordpress
Wordpress wordpress Wplegalpages Wplegalpages cookie Banner For Gdpr / Ccpa – Wplp Cookie Consent |
Fri, 10 Jul 2026 09:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdpr_cookie_consent_ajax_save_schedule_scan() function (the wp_ajax_gcc_save_schedule_scan AJAX action) in versions up to, and including, 4.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's cookie scan schedule configuration stored in the gdpr_scan_schedule_data option, which is an administrative function intended to be limited to users with the manage_options capability. | |
| Title | Cookie Banner for GDPR / CCPA <= 4.3.6 - Missing Authorization to Authenticated (Subscriber+) Scan Schedule Modification via gcc_save_schedule_scan AJAX Action | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-10T17:01:24.647Z
Reserved: 2026-06-22T21:19:30.826Z
Link: CVE-2026-12955
Updated: 2026-07-10T16:50:23.079Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T10:30:16Z
Weaknesses