cleantalk
Vulnerabilities and Security Researches

Real Cookie Banner: GDPR & ePrivacy Cookie Consent, CVE-2025-12136

CVE, Research URL

CVE-2025-12136

Home page URL

Security reports for Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Application

Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Published on
Oct 24, 2025
Research Description
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
Affected versions
max 5.2.5.
Status
vulnerable
Previous vulnerability researches
WP iCal Availability (CVE-2023-46607) , Jun 10, 2024
WP iCal Availability (CVE-2023-41853) , Jun 07, 2024
New vulnerability
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2025-12136) , Nov 09, 2025
Smart Coupons For WooCommerce Coupons (CVE-2025-64358) , Nov 09, 2025
Media Library Assistant (CVE-2025-11738) , Nov 09, 2025
FileBird – WordPress Media Library Folders & File Manager (CVE-2025-11510) , Oct 29, 2025
WordPress Webinar Plugin – WebinarPress (CVE-2025-62972) , Oct 29, 2025