Complianz plugin CVE‑2026‑4019 exploited

A WordPress consent plugin sounds boring — but this bug is a clean example of how “privacy tooling” can create a totally different privacy problem. Complianz, a widely used cookie-banner plugin for WordPress, patched CVE-2026-4019 on April 28, 2026. The flaw let anyone on the internet query a REST endpoint and pull content from certain private, draft, or unpublished posts if those posts used a specific Complianz block. That is not a site takeover. But it is still a real data-exposure bug, and the whole point of the plugin makes the irony pretty sharp. (wordfence.com) ### What actually broke? The vulnerable piece was a Complianz REST API route tied to its “consent area” block. In affected versions, the endpoint used a permission callback that effectively allowed public access, then fetched a post by ID and returned the block’s `consentedContent` without checking whether the post was published or whether the requester had permission to read it. Basically — the front door to that one content fragment was left unlocked. (wordfence.com) ### Which versions were affected? Versions up to and including 7.4.5 were vulnerable. Version 7.4.6 is the patched release. Patchstack and Wordfence both list the issue as publicly disclosed on April 28, 2026, and both point site owners to the same fix — update immediately to 7.4.6 or later. (patchstack.com) ### What could an attacker see? Not an entire private post by default. The exposed data was narrower: the content stored inside Complianz’s consent-area block. But that can still matter a lot. Consent plugins often liv(patchstack.com)t to be public yet. (wordfence.com) ### Why is “unauthenticated” the key word? Because no login was required. That changes the risk profile fast. A low-to-medium severity bug with no authentication can be probed at scale, especially on WordPress wh(wordfence.com)less if the leaked text includes internal legal language, unpublished disclosures, or partner-specific terms. (patchstack.com) ### Is this being exploited in the wild? I could not verify a trustworthy public confirmation of active exploitation for this specific CVE as of May 1, 2026. The reliable records I found document public disclosure, aff(patchstack.com)e now — but not confirmed as actively exploited from the sources available. (github.com) ### Why does this matter beyond one plugin? Because consent tools sit in a weird trust zone. Site owners treat them as compliance plumbing — almost like legal middleware. But they are still WordPress code with routes, callbacks, blocks, and all the usual ways software can fail. Complianz’s own plugin page highlights features like region-specific notices, proof-(github.com)uch exactly the material organizations most assume is carefully fenced off. (wordpress.org) ### What should site owners do now? Update to 7.4.6 or later first. Then check whether draft or private posts used Complianz consent-area blocks, review access logs for unusual hits to the plugin’s REST endpoints, and rotate any sensitive language or identifiers that may have appeared in those blocks. If a site cannot patch immediately, disabling the vulnerable plugin functionality or restrict(wordpress.org) patching is the real fix. (patchstack.com) ### Bottom line This is a narrow bug, not a catastrophe. But it lands in exactly the wrong place — software meant to help websites manage privacy exposed content those sites may have assumed was private. That is why CVE-2026-4019 matters. (wordfence.com)