Attack Vectors

CVE-2026-24604 is a Medium-severity issue (CVSS 5.3) affecting the Simple GDPR Cookie Compliance WordPress plugin (slug: simple-gdpr-cookie-compliance) in versions 2.0.0 and below. Because the weakness can be reached over the network and does not require a logged-in user, an external attacker can attempt to trigger the vulnerable behavior directly against your website.

From a business-risk perspective, this means the attack surface includes any site where the plugin is installed and publicly accessible—particularly high-visibility marketing sites where uptime, brand trust, and compliance posture matter.

Security Weakness

The plugin is vulnerable due to a missing authorization (capability) check on a function in versions up to, and including, 2.0.0. In plain terms, the plugin does not consistently verify that the requester is allowed to perform a specific action.

As a result, unauthenticated attackers may be able to perform an unauthorized action. (The public advisory does not specify the exact action in the summary, so it should be treated as a general access-control failure until you confirm the exposure in your environment.)

Reference: CVE-2026-24604. Source: Wordfence vulnerability advisory.

Technical or Business Impacts

While this is rated Medium (CVSS 5.3) and does not indicate direct confidentiality or availability impact in the published vector, missing authorization issues are often a pathway to unwanted changes or misuse of site functionality. That can translate into business outcomes such as unexpected site behavior, disrupted consent experiences, or increased support and incident-response costs.

For marketing, compliance, and executive stakeholders, the practical risk is that an attacker may be able to influence how the site behaves (or how users experience consent-related elements), potentially affecting conversion performance, trust signals, and audit readiness.

Remediation: Update Simple GDPR Cookie Compliance to version 2.0.1 or newer (patched). After updating, confirm your WordPress core and other plugins are up to date and review any unusual administrative or site-configuration changes made around the time you were running a vulnerable version.

Similar Attacks

Authorization gaps and unauthenticated plugin weaknesses are a recurring cause of WordPress site incidents. Examples of real-world issues in this category include:

CVE-2020-25213 (WP File Manager) — a widely abused plugin vulnerability that enabled attackers to compromise sites at scale.
CVE-2019-9978 (ThemeGrill Demo Importer) — an unauthenticated vulnerability that was leveraged to take over vulnerable WordPress sites.