PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12955 wplegalpages CVE debrief

The GDPR Cookie Consent plugin for WordPress has a vulnerability allowing unauthorized modification of data due to a missing capability check and nonce verification on the gdpr_cookie_consent_ajax_save_schedule_scan() function. Authenticated attackers with Subscriber-level access can modify the plugin's cookie scan schedule configuration. This vulnerability affects versions up to and including 4.3.6 of the plugin. The configuration is stored in the gdpr_scan_schedule_data option, which is intended to be an administrative function limited to users with the manage_options capability. To protect their sites, administrators of WordPress sites using the GDPR Cookie Consent plugin should be aware of this vulnerability and take immediate action.

Vendor
wplegalpages
Product
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators of WordPress sites using the GDPR Cookie Consent plugin, especially those with versions up to and including 4.3.6, should be aware of this vulnerability and take immediate action to protect their sites.

Technical summary

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdpr_cookie_consent_ajax_save_schedule_scan() function. This function is part of the wp_ajax_gcc_save_schedule_scan AJAX action. The vulnerability affects versions up to and including 4.3.6 of the plugin. An authenticated attacker with Subscriber-level access and above can exploit this vulnerability to modify the plugin's cookie scan schedule configuration, which is stored in the gdpr_scan_schedule_data option. This configuration is intended to be an administrative function limited to users with the manage_options capability.

Defensive priority

Medium priority due to the CVSS score of 4.3 and the potential for authenticated attackers to modify sensitive configuration data.

Recommended defensive actions

  • Update the GDPR Cookie Consent plugin to a version that fixes this vulnerability, if available.
  • Restrict access to the plugin's configuration pages to users with the manage_options capability.
  • Monitor the plugin's configuration for unauthorized changes.
  • Consider implementing additional security measures such as two-factor authentication for all users, especially those with Subscriber-level access.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T09:16:52.987Z and was last modified on 2026-07-10T17:16:53.490Z. The vulnerability was reported by [email protected]. The NVD entry is currently Deferred.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.987Z and has not been modified since then. The NVD entry is currently Deferred.