CVE-2026-4019

Name of the Vulnerable Software and Affected Versions Complianz – GDPR/CCPA Cookie Consent versions prior to 7.4.6

Description Unauthorized data access is possible due to the REST API endpoint "/wp-json/complianz/v1/consent-area/{post id}/{block id}" using return true as the permission callback, which allows unauthenticated users to access it. The cmplz rest consented content() function retrieves a post by ID via get post() and returns the consentedContent attribute of any complianz/consent-area block without verifying if the post is published or if the user has read permissions. This allows unauthenticated attackers to read content from private, draft, or unpublished posts.

Recommendations Update to a version newer than 7.4.5. As a temporary workaround, restrict access to the "/wp-json/complianz/v1/consent-area/{post id}/{block id}" endpoint.