cleantalk
Vulnerabilities and Security Researches

Real Cookie Banner: GDPR & ePrivacy Cookie Consent, CVE-2025-12136

CVE, Research URL

CVE-2025-12136

Home page URL

Security reports for Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Application

Real Cookie Banner: GDPR & ePrivacy Cookie Consent

Published on
Oct 24, 2025
Research Description
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
Affected versions
max 5.2.5.
Status
vulnerable
Previous vulnerability researches
Smart Coupons For WooCommerce Coupons (808f02df1598cdfd0194cfe2e78dad090b230125) , Jun 07, 2024
Smart Coupons For WooCommerce Coupons (CVE-2025-64358) , Nov 09, 2025
New vulnerability
Popup Maker – Popup for opt-ins, lead gen, & more (CVE-2025-9490) , Nov 09, 2025
Real Cookie Banner: GDPR & ePrivacy Cookie Consent (CVE-2025-12136) , Nov 09, 2025
Smart Coupons For WooCommerce Coupons (CVE-2025-64358) , Nov 09, 2025
Media Library Assistant (CVE-2025-11738) , Nov 09, 2025
FileBird – WordPress Media Library Folders & File Manager (CVE-2025-11510) , Oct 29, 2025