QwikSec

Security Database

CVE

CWE

Training

CVE-2025-12136

Published: Oct 24, 2025

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.

Vendor	Product	Versions
devowl	Real Cookie Banner: GDPR & ePrivacy Cookie Consent	affected `0 - <= 5.2.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/7f559d7f-3faf-4549-b529-f4db03dce2dd?source=cve

https://infosecstuff.com/SSRF-Real-Cookie-Banner

https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L48

https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L210

https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L223

https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

https://plugins.trac.wordpress.org/changeset/3378727

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.