CVE-2025-51529

MEDIUM

Cookies and Content Security Policy < 2.29 - Denial of Service via Unlimited Database Write Operations

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-51529. PoCs published by piotrmaciejbednarski.

AI-analyzed exploit summary This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-51529, which targets an incorrect access control vulnerability in the WordPress Cookies and Content Security Policy plugin (version 2.29 and below). The exploit demonstrates a denial-of-service (DoS) attack by sending concurrent POST requests to the unauthenticated AJAX endpoint `wp_ajax_nopriv_cacsp_insert_consent_data`, causing database resource exhaustion.

Description

Incorrect Access Control in the AJAX endpoint functionality in jonkastonka Cookies and Content Security Policy plugin through version 2.29 allows remote attackers to cause a denial of service (database server resource exhaustion) via unlimited database write operations to the wp_ajax_nopriv_cacsp_insert_consent_data endpoint.

Exploits (1)

nomisec WORKING POC 1 stars

by piotrmaciejbednarski · poc

https://github.com/piotrmaciejbednarski/CVE-2025-51529

View Code ZIP pw:eip

This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-51529, which targets an incorrect access control vulnerability in the WordPress Cookies and Content Security Policy plugin (version 2.29 and below). The exploit demonstrates a denial-of-service (DoS) attack by sending concurrent POST requests to the unauthenticated AJAX endpoint `wp_ajax_nopriv_cacsp_insert_consent_data`, causing database resource exhaustion.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: WordPress Cookies and Content Security Policy plugin <= 2.29

No auth needed

Prerequisites: Python 3.x · requests library · matplotlib library · threading library · target WordPress site with vulnerable plugin installed

MITRE ATT&CK

T1499 - Endpoint Denial of Service T1498 - Network Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Not Applicable

http://cookies.com

Not Applicable

http://johan.com

Product

https://gist.github.com/piotrmaciejbednarski/f738145c0ab24a110649dc16907e395b

Exploit, Third Party Advisory

https://github.com/piotrmaciejbednarski/CVE-2025-51529

Scores

CVSS v3 5.3

EPSS 0.0051

EPSS Percentile 39.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (1)

followmedarling/cookies_and_content_security_policy < 2.29

Published Aug 19, 2025

Tracked Since Feb 18, 2026