Security Alert Summary
The WeePie Cookie Allow WordPress plugin is affected by an SQL injection vulnerability in the 'consent' parameter. Insufficient escaping and lack of prepared statements allow unauthenticated attackers to append additional SQL to existing queries, which can be used to extract sensitive information from the site database.
CVE Details
- CVE ID: CVE-2026-4304
- Affected component: WeePie Cookie Allow plugin for WordPress
- Affected versions: All versions up to and including 3.4.11
- Published: May 5, 2026 2:16:09 PM UTC
- Last modified: May 5, 2026 2:16:09 PM UTC
- CVSS v3.1: Base score 7.5, Severity: HIGH, Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - Authentication / privileges / user interaction: No authentication required (PR:N), no user interaction (UI:N); attack vector: network (AV:N); attack complexity: low (AC:L)
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
- Weakness (CWE): CWE-89 (SQL Injection)
Technical Details
According to the advisory, the vulnerability is an SQL injection via the consent parameter. The plugin performs insufficient escaping of user-supplied data and does not sufficiently prepare the existing SQL query before incorporating the parameter. As a result, an attacker can append additional SQL statements to the query string.
This behavior enables unauthenticated attackers to extract sensitive information from the database by manipulating the consent parameter. The description does not name specific functions or REST endpoints; the issue is characterized by improper handling of the parameter and lack of prepared queries.
How This Could Impact Your Website
In a typical small business WordPress site, a site owner, internal staff (editors or content contributors), and an external contractor may all be present as user accounts. An attacker who can exploit this SQL injection could retrieve sensitive data from the site database, such as user records or stored content. This can include internal user email addresses and other information that increases the risk of targeted phishing or social engineering against staff or contractors.
The direct impact follows the CVSS rating: confidentiality loss is the primary concern; the vulnerability does not inherently indicate data tampering or service disruption. If you're unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and other low-privilege users that have input channels.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes from the site.
- Monitor site activity and database access for unusual behavior or unexpected queries.
If you'd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
