Bajorat Media
Vulnerability in compliance | GDPR/CCPA (WordPress plugin)
XSS vulnerability discovered in Complianz WordPress GDPR/CCPA Cookie Consent plugin installed on over 800,000 websites.
XSS vulnerability discovered in Complianz WordPress GDPR/CCPA Cookie Consent plugin installed on over 800,000 websites.
Popular WordPress plugin for privacy compliance
A popular one WordPress plugin to comply with data protection regulations with over 800,000 installations, recently fixed a stored XSS vulnerability that could allow an attacker to upload malicious scripts to launch attacks against website visitors.
Compliance | GDPR/CCPA Cookie Consent WordPress Plugin
The Compliance Plugin for WordPress is a powerful tool that helps website owners comply with data protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The plugin manages multiple aspects of user privacy, including blocking third-party cookies, managing cookie consent (including per sub-region), and managing various aspects related to cookie banners. Its versatility and usefulness could be responsible for the popularity of the tool, which currently has over 800,000 installations. 
Complianz Plugin Saved XSS vulnerability
A stored XSS vulnerability has been discovered in the Complianz WordPress plugin, which is a type of vulnerability that allows a user to upload a malicious script directly to the website server. Unlike a reflected XSS, which requires a website user to click on a link, a stored XSS involves a malicious script that is stored and deployed on the target website’s server. The vulnerability is in the Complianz admin settings, which takes the form of a lack of two security features.
1. Input sanitization
The plugin lacked sufficient input sanitization and output escaping. Input sanitization is a standard process for checking what is entered into a website, such as in a form field, to ensure that what is entered is what is expected, like a text input as opposed to a script upload. The official WordPress developer guide describes data cleansing as:
“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”
2. Output escaping
The plugin lacked output escaping, a security process that removes unwanted data before it is displayed to a user.
How serious is the vulnerability?
The vulnerability requires the attacker to have administrative privileges and above to carry out the attack. That could be why this vulnerability is rated 4.4 out of 10, with ten being the highest level of vulnerability. The vulnerability only affects certain types of installations. According to Wordfence:
“This makes it possible for authenticated attackers with administrative privileges and above to inject arbitrary web scripts into pages that are executed whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.”
Update to the latest version
The vulnerability affects compliance versions equal to or lower than version 6.5.5. Users are encouraged to update to version 6.5.6 or later. Source: Compliance | GDPR/CCPA Cookie Consent <= 6.5.5 - Authenticated(Administrator+) Stored Cross-site Scripting via settings
