CVE-2025-49993: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Cookie Script Cookie-Script.com WordPress plugin, tracked as CVE-2025-49993. The vulnerability was discovered by Nguyen Tran Tuan Dung and officially published on June 19, 2025. This security issue affects Cookie-Script.com plugin versions through 1.2.1, allowing exploitation of incorrectly configured access control security levels (Wiz, NVD).

The vulnerability is classified as a Broken Access Control issue (CWE-862) and has received a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network accessible, requires low attack complexity, and needs no privileges or user interaction (Wiz, WPScan).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While classified as having a low severity impact, it could potentially compromise the security of affected WordPress installations (Patchstack).

A fix is available in version 1.2.2 of the Cookie-Script.com plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is unlikely to be exploited (Patchstack).