XSS vulnerability discovered in the Complianz WordPress GDPR/CCPA Cookie Consent plugin, which is installed on over 800,000 websites.
Table of contents
Popular WordPress plugin for data protection compliance
A popular WordPress plugin privacy compliance program with over 800,000 installations recently fixed a stored XSS vulnerability that could allow an attacker to upload malicious scripts to launch attacks against website visitors.
Complianz | GDPR/CCPA Cookie Consent WordPress Plugin
The Compliance plugin for WordPress is a powerful tool that helps website operators to comply with data protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The plugin manages several aspects of user privacy, including the blocking of third-party cookies, the management of cookie consent (including per sub-region) and the management of various aspects related to cookie banners.
Its versatility and usefulness could be responsible for the popularity of the tool, which currently has over 800,000 installations.
Complianz Plugin Stored XSS vulnerability
A stored XSS vulnerability has been discovered in the Complianz WordPress plugin, which is a type of vulnerability that allows a user to upload a malicious script directly to the website server. Unlike a reflected XSS, which requires a website user to click on a link, a stored XSS involves a malicious script that is stored and deployed on the target website's server.
The vulnerability is in the Compliance Admin settings, which is a lack of two security functions.
1. input sanitization
The plugin lacked sufficient input sanitization and output escaping. Input sanitization is a standard process of checking what is entered on a website, like into a form field, to ensure that what is entered is what is expected, like a text input as opposed to a script upload.
The official WordPress developer guide describes data cleansing as:
"Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when "more specific" isn't possible, sanitization is the next best thing."
2. output escaping
The plugin lacked output escaping, a security process that removes unwanted data before it is displayed to a user.
How serious is the vulnerability?
The vulnerability requires the attacker to have administrator privileges and above to carry out the attack. This could be the reason why this vulnerability is rated 4.4 out of 10, with ten being the highest level of vulnerability.
The vulnerability only affects certain types of installations.
According to Wordfence:
"This makes it possible for authenticated attackers with administrator privileges and beyond to inject arbitrary web scripts into pages that are executed whenever a user accesses an injected page.
This only affects multi-site installations and installations where unfiltered_html has been deactivated."
Update to the latest version
The vulnerability affects compliance versions equal to or lower than version 6.5.5. Users are encouraged to upgrade to version 6.5.6 or higher.