CVE-2025-12136

Name of the Vulnerable Software and Affected Versions The Real Cookie Banner versions up to and including 5.2.4

Description The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is susceptible to Server-Side Request Forgery. This is caused by inadequate validation of the user-supplied URL in the /scanner/scan-without-login API endpoint. Authenticated attackers with administrator-level access or higher can leverage this to make web requests to arbitrary locations from the web application. Exploitation involves the url parameter, allowing attackers to query and modify information from internal services.

Recommendations Update The Real Cookie Banner to a version later than 5.2.4.