cleantalk
Vulnerabilities and Security Researches

Complianz – GDPR/CCPA Cookie Consent, CVE-2026-4019

CVE, Research URL

CVE-2026-4019

Home page URL

Security reports for Complianz – GDPR/CCPA Cookie Consent

Application

Complianz – GDPR/CCPA Cookie Consent

Published on
Apr 29, 2026
Research Description
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.
Affected versions
max 7.4.6.
Status
vulnerable
Previous vulnerability researches
Majestic Support – Help Desk & Support Plugin (CVE-2025-49860) , Jun 20, 2025
Majestic Support – Help Desk & Support Plugin (CVE-2025-48283) , Jun 14, 2025
Majestic Support – Help Desk & Support Plugin (CVE-2025-48282) , Jun 14, 2025
Majestic Support – Help Desk & Support Plugin (CVE-2024-13601) , Feb 13, 2025
Majestic Support – Help Desk & Support Plugin (CVE-2025-64284) , Nov 11, 2025
New vulnerability
Social Post Embed (CVE-2026-6809) , Apr 30, 2026
Timeline Blocks for Gutenberg (CVE-2026-6551) , Apr 29, 2026
WPC Smart Messages for WooCommerce (CVE-2026-6725) , Apr 29, 2026
Check & Log Email (CVE-2026-5306) , Apr 29, 2026
Complianz – GDPR/CCPA Cookie Consent (CVE-2026-4019) , Apr 29, 2026