CVE-2025-11754
Published: 19 February 2026
Summary
CVE-2025-11754 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-11754 is a vulnerability in the GDPR Cookie Consent plugin for WordPress, affecting all versions up to and including 4.1.2. The issue arises from a missing capability check on the 'gdpr/v1/settings' REST API endpoint, mapped to CWE-862 (Missing Authorization). Published on 2026-02-19, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no effects on integrity or availability.
Unauthenticated attackers can exploit this flaw remotely with low attack complexity and no user interaction. By accessing the exposed REST API endpoint, they can retrieve sensitive plugin settings, such as API tokens, email addresses, account IDs, and site keys, enabling potential data exfiltration or use in follow-on attacks.
References include the vulnerable code at line 77 in class-gdpr-cookie-consent-api.php from tag 4.0.1, a changeset 3443083 in the WordPress plugin repository, and Wordfence threat intelligence detailing the issue (ID 4107362f-ae21-4509-b83a-0bffbde23330). Mitigation involves updating the plugin to a version beyond 4.1.2, where the capability check is presumably added.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207892
Vulnerability details
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated…
more
attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public REST endpoint enables remote exploitation of WordPress plugin (T1190) and direct exposure of API tokens/credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates enforcement of capability checks on the REST API endpoint to block unauthenticated access to sensitive plugin settings.
Requires identification, reporting, and correction of the missing authorization flaw in the plugin via updates beyond version 4.1.2.
Controls access to publicly accessible content exposed by the WordPress REST API endpoint, preventing unauthorized retrieval of sensitive data like API tokens.