We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Complianz – GDPR/CCPA Cookie Consent Plugin Vulnerability (CVE-2026-4019)

Nick Paliughi
On this page

Security Alert Summary

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress contains a REST API endpoint that allows unauthenticated access to consent-area block content. An unauthenticated user can retrieve consent area content from posts without checks for publication status or read permissions, which can expose content stored in private, draft, or unpublished posts.

CVE Details

  • CVE ID: CVE-2026-4019
  • Affected component: Complianz – GDPR/CCPA Cookie Consent plugin (REST API endpoint)
  • Affected versions: All versions up to, and including, 7.4.5
  • Published: April 29, 2026 at 9:16:25 AM UTC
  • Last modified: April 29, 2026 at 9:16:25 AM UTC
  • CVSS v3.1: Base Score 5.3, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Authentication / Privileges / User interaction: No authentication required; privileges required: none; user interaction: none
  • Primary impact: Confidentiality: Low; Integrity: None; Availability: None
  • Weakness (CWE): CWE-862 (Missing Authorization)

Technical Details

The vulnerability originates from the REST API route /wp-json/complianz/v1/consent-area/{post_id}/{block_id} being registered with a permission_callback that returns true (specifically using __return_true). As a result, the endpoint is callable by unauthenticated requests.

The endpoint handler, the cmplz_rest_consented_content() function, retrieves a post by ID using get_post() and extracts the consentedContent attribute from any complianz/consent-area block it finds. The function does not verify that the post is published nor whether the requesting user has permission to read the post. Because of these missing authorization checks, an unauthenticated attacker can read consent-area block content from private, draft, or otherwise unpublished posts.

Impact is limited to the exposed content within the consent-area block (confidentiality impact). This does not, based on the provided data, indicate code execution, integrity modification, or availability disruption.

How This Could Impact Your Website

Consider a typical small organization that uses WordPress for internal and public pages. The site owner may store internal contact lists, draft announcements, or contractor notes inside pages that include Complianz consent-area blocks. An unauthenticated attacker could fetch the consent-area content from those private or draft posts and access internal email addresses or notes that were intended to remain private.

Practical consequences include exposure of internal user email addresses or sensitive text snippets stored in consent-area blocks, which increases the risk of targeted phishing or social engineering against staff, contractors, or contributors. The issue affects only the consent-area block content returned by the endpoint; it does not imply direct administrative takeover or site-wide compromise based on the information given.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and any accounts with write access to posts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and access logs for unusual requests to REST API endpoints, particularly requests to /wp-json/complianz/v1/consent-area/.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WP Meteor Website Speed Optimization Addon Vulnerability (CVE-2026-2902)
Next Post
Otter Blocks Plugin Vulnerability (CVE-2026-2892)