← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-4304 · CWE-89 · Disclosed 2026-05-05

The WeePie Cookie

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare key left under the doormat, but only for houses that bought this exact lock

CVE-2026-4304 is an unauthenticated SQL injection in the premium WordPress plugin WeePie Cookie Allow via the consent parameter. Affected versions are all releases up to and including 3.4.11, and the vendor changelog shows the fix landed in 3.4.12. In plain terms, an attacker who can reach a site using this plugin may be able to make the application run attacker-controlled database queries and pull sensitive data out of the WordPress database.

The vendor's HIGH 7.5 rating is technically fair in a vacuum because the bug is remote, low-complexity, and requires no authentication. In real enterprise fleets, though, severity comes down because this is a specific premium plugin, not WordPress core, not a ubiquitous internet service, and there is no KEV listing, no strong exploitation evidence, and a very low EPSS signal in the intel you supplied. That makes it a real web-risk for exposed sites, but not an all-hands emergency across a 10,000-host estate.

"Unauthenticated SQLi is bad, but this is a niche premium WordPress plugin with no exploitation signal yet."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a public site running the plugin

An attacker first needs a WordPress site that actually uses WeePie Cookie Allow. Typical recon uses WPScan, passive fingerprinting, or direct HTML/asset inspection to identify the plugin or infer it from cookie-consent behavior and asset paths. This is still internet-reachable web-app recon, not deep intrusion.
Conditions required:
  • Target site is internet-facing
  • Site runs WordPress
  • Site has WeePie Cookie Allow installed
Where this breaks in practice:
  • This is a premium/niche plugin, not a broadly deployed default component
  • Many enterprises have few or no public WordPress properties at all
  • Plugin fingerprinting may be obscured by caching, custom paths, or asset minimization
Detection/coverage: Network scanners do not reliably identify this plugin. Detection is mostly through web crawling, plugin inventory, or filesystem/SBOM-style checks.
STEP 02

Reach the vulnerable request path

The attacker then has to reach the code path where the consent parameter is consumed. Tooling like curl, Burp Suite, or sqlmap can be used once the endpoint or request pattern is identified. Public summaries describe the vulnerable parameter, but they do not clearly publish the exact endpoint, which adds some practical friction.
Conditions required:
  • Vulnerable plugin version is present
  • Relevant request path is reachable without authentication
  • The vulnerable parameter is accepted in the deployed configuration
Where this breaks in practice:
  • The advisory text is light on exact exploit details
  • Reverse proxies, WAFs, or custom WordPress hardening may block noisy probing
  • Some deployments may not expose the same request path in a straightforward way
Detection/coverage: WAF and WordPress firewall products can often catch generic SQLi payloads, but coverage depends on rule quality and whether the probing is noisy or time-based.
STEP 03

Exploit SQL injection for data extraction

With the vulnerable path confirmed, sqlmap or handcrafted payloads can append SQL to the existing query and enumerate the database. The stated impact is confidentiality only, so the likely result is theft of WordPress data such as user records, hashes, emails, and possibly plugin-held consent log data. That is still serious because stolen WordPress credentials and user metadata often become stepping stones for follow-on compromise.
Conditions required:
  • Database queries are injectable through the consent parameter
  • Application responses expose enough signal for extraction
  • Database user permissions allow access to interesting tables
Where this breaks in practice:
  • Blind extraction can be slow and noisy
  • Least-privileged DB accounts reduce blast radius if actually implemented
  • WAF/rate limiting may disrupt automated extraction
Detection/coverage: Look for repeated requests with SQL metacharacters, time-delay patterns, unusual 500s, and bursts against consent-related routes. Wordfence and Patchstack both track this plugin family and have protective coverage around SQLi classes.
STEP 04

Turn stolen data into follow-on access

The direct CVSS impact stops at data disclosure, but operators should assume a second-stage risk. Attackers can take dumped wp_users data, target password reuse, crack weak hashes offline, or pivot into account takeover and content abuse. That follow-on path is common in WordPress intrusions, but it is not guaranteed by this CVE alone.
Conditions required:
  • Useful credentials or sensitive records are present
  • Passwords are weak or reused elsewhere
  • Administrative workflows depend on exposed WordPress identities
Where this breaks in practice:
  • Modern password hashing and MFA reduce credential reuse value
  • Many marketing sites have limited internal blast radius
  • The CVE itself does not grant direct code execution
Detection/coverage: Monitor for suspicious login attempts after any suspected SQLi activity, especially against wp-login.php, XML-RPC, and admin panels.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation signal found in the sources reviewed, and not listed in CISA KEV.
Proof-of-concept availabilityNo public PoC repo surfaced in the reviewed sources. Practical exploitation still looks straightforward with generic tools like sqlmap once the vulnerable route is identified.
EPSS0.00089 from the intel you supplied, which is very low and consistent with a narrow, low-signal target population.
KEV statusNot KEV-listed. The authoritative catalog reviewed did not include this CVE.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N — remote, no auth, low complexity, but confidentiality-only impact.
Affected versionsWeePie Cookie Allow <= 3.4.11.
Fixed version3.4.12. The vendor changelog says fixed: a vulnerability issue reported by WordFence (credits to Ren Voza) in v3.4.12.
Exposure populationThis is a WordPress plugin exposure, not a port/service exposure. Public scanner-style counting is weak here; exposure depends on whether a site is internet-facing and running this exact plugin.
Deployment signalCodecanyon shows roughly 6,660 sales, which means this is real software in production but still far from WordPress-core ubiquity.
Disclosure and creditPublicly disclosed 2026-05-05; researcher credit in Wordfence points to Ren Voza.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.3/10)

The decisive factor is exposure population: this is an unauthenticated internet bug, but only on sites running a specific premium WordPress plugin, which sharply narrows how much of a typical enterprise estate is actually reachable. The absence of KEV status, public campaign reporting, or meaningful EPSS pressure keeps this out of the HIGH bucket unless you know you have externally exposed WordPress properties using the plugin.

HIGH Affected version range and patched version
MEDIUM Enterprise-wide exploitability assessment
LOW Internet-wide exposed population estimate

Why this verdict

  • Downgrade for narrow population: this requires a public WordPress site running this exact premium plugin, which is a major reachability filter versus vendor-baseline CVSS.
  • No exploit pressure: your supplied intel shows EPSS 0.00089 and the CVE is not in KEV, with no public campaign evidence found in the reviewed sources.
  • Confidentiality-only impact: the published scoring does not include integrity or availability loss, and there is no direct RCE in the CVE as described.

Why not higher?

If this were WordPress core, a massively installed free plugin, KEV-listed, or already showing botnet-scale opportunistic exploitation, it would stay HIGH. It does not clear that bar from the evidence available. The biggest brake is that the attacker needs a site running a specific niche component before the bug matters at all.

Why not lower?

This is still unauthenticated remote SQL injection on an internet-facing web application component. If you do run affected sites, the path to database disclosure is real and the follow-on risk from dumped WordPress user data is non-trivial. That keeps it above LOW or IGNORE.

05 · Compensating Control

What to do — in priority order.

  1. Inventory the plugin — Identify every WordPress instance running WeePie Cookie Allow and flag versions <= 3.4.11. Because this is a MEDIUM verdict, there is no mitigation SLA — go straight to the 365-day remediation window, but do the inventory immediately so exposed web properties do not hide in the long tail.
  2. Harden SQLi filtering — Enable or verify WAF/WordPress firewall rules that block generic SQL injection probes against public sites. This is a containment measure for exposed sites while you move through the normal remediation window; it reduces drive-by mass scanning success but should not be treated as a substitute for upgrading.
  3. Reduce plugin exposure — Where possible, remove unused premium plugins and minimize anonymous access to nonessential dynamic routes. For a MEDIUM issue there is no noisgate mitigation deadline, but reducing unnecessary public attack surface now pays down the whole WordPress risk stack.
  4. Watch for follow-on logins — After any suspected probing, monitor wp-login.php, XML-RPC, admin sessions, and password reset flows for reuse of dumped identities. SQLi often becomes a credential and phishing problem before it becomes a persistence problem.
What doesn't work
  • Relying on internal network segmentation doesn't help if the affected site is public; this attack comes through the web tier.
  • Assuming MFA alone solves it is wrong; MFA helps with follow-on account takeover, not with the initial database extraction.
  • Basic network vulnerability scanning won't reliably find this because plugin presence and vulnerable versioning are usually discovered through web-app or filesystem inspection, not port banners.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or on a mounted webroot from an auditor workstation with read access to the plugin files; no root is required unless file permissions are locked down. Invoke it as bash check_weepie_cve_2026_4304.sh /var/www/html/wp-content/plugins or point it directly at the plugin directory such as bash check_weepie_cve_2026_4304.sh /var/www/html/wp-content/plugins/weePie-cookie-allow.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_weepie_cve_2026_4304.sh
# Detects whether WeePie Cookie Allow is vulnerable to CVE-2026-4304 based on local plugin version.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage error

set -u

TARGET="${1:-}"
FIXED_VERSION="3.4.12"
VULN_MAX="3.4.11"

usage() {
  echo "Usage: $0 <wp-content/plugins path | plugin directory path>"
}

verlte() {
  # returns success if $1 <= $2 using version sort
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

find_plugin_file() {
  local base="$1"
  local candidate=""

  if [ -f "$base/wp-cookie-allow.php" ]; then
    echo "$base/wp-cookie-allow.php"
    return 0
  fi

  if [ -d "$base" ]; then
    candidate=$(find "$base" -maxdepth 3 -type f \( -iname 'wp-cookie-allow.php' -o -iname '*cookie*allow*.php' \) 2>/dev/null | head -n1)
    if [ -n "$candidate" ]; then
      echo "$candidate"
      return 0
    fi
  fi

  return 1
}

extract_version() {
  local file="$1"
  awk 'BEGIN{IGNORECASE=1} /^[[:space:]]*Version:[[:space:]]*/ {sub(/^[[:space:]]*Version:[[:space:]]*/, ""); print; exit}' "$file" | tr -d '\r'
}

if [ -z "$TARGET" ]; then
  usage
  echo "UNKNOWN - missing path argument"
  exit 3
fi

if [ ! -e "$TARGET" ]; then
  echo "UNKNOWN - path does not exist: $TARGET"
  exit 2
fi

PLUGIN_FILE=""
if [ -d "$TARGET" ]; then
  # If caller passed wp-content/plugins, try common subdirectory names first.
  for d in "$TARGET/weePie-cookie-allow" "$TARGET/weepie-cookie-allow" "$TARGET/wp-cookie-allow" "$TARGET/cookie-allow"; do
    if [ -d "$d" ]; then
      PLUGIN_FILE=$(find_plugin_file "$d" || true)
      [ -n "$PLUGIN_FILE" ] && break
    fi
  done

  # Fallback: search under provided directory.
  if [ -z "$PLUGIN_FILE" ]; then
    PLUGIN_FILE=$(find_plugin_file "$TARGET" || true)
  fi
elif [ -f "$TARGET" ]; then
  PLUGIN_FILE="$TARGET"
fi

if [ -z "$PLUGIN_FILE" ] || [ ! -f "$PLUGIN_FILE" ]; then
  echo "UNKNOWN - could not locate WeePie Cookie Allow plugin main PHP file"
  exit 2
fi

VERSION=$(extract_version "$PLUGIN_FILE")
if [ -z "$VERSION" ]; then
  echo "UNKNOWN - found plugin file but could not parse version: $PLUGIN_FILE"
  exit 2
fi

if verlte "$VERSION" "$VULN_MAX"; then
  echo "VULNERABLE - WeePie Cookie Allow version $VERSION (fixed in $FIXED_VERSION)"
  exit 1
fi

if verlte "$FIXED_VERSION" "$VERSION" || [ "$VERSION" = "$FIXED_VERSION" ]; then
  echo "PATCHED - WeePie Cookie Allow version $VERSION"
  exit 0
fi

# Safety fallback for unusual version strings.
echo "UNKNOWN - parsed version $VERSION but comparison was inconclusive"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, find out whether you actually run this plugin anywhere before you let the vendor's 7.5 push you into fleet-wide panic. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use this week to inventory all WordPress properties, identify any WeePie Cookie Allow <= 3.4.11 instances, and patch or remove them in the normal web maintenance cycle, with every remaining affected instance closed inside the noisgate remediation SLA of 365 days. If you discover the plugin on a public-facing site handling user accounts or regulated data, treat that subset as a front-of-queue web fix even though the fleet-wide verdict stays MEDIUM.

Sources

  1. Freshy advisory summary for CVE-2026-4304
  2. Wordfence vulnerability listing for WeePie Cookie Allow
  3. Wordfence SQL injection protection listing
  4. Patchstack entry for WeePie Cookie Allow SQL injection
  5. Vendor changelog showing fix in 3.4.12
  6. Codecanyon product page with deployment signal
  7. CISA Known Exploited Vulnerabilities catalog
  8. FIRST EPSS project
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.