The Complianz plugin for WordPress, a popular tool for privacy compliance with over 800,000 installations, recently addressed a stored XSS vulnerability that could potentially allow attackers to upload malicious scripts and launch attacks against site visitors. The plugin is designed to help website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) by managing various aspects of user privacy, including cookie consent and banner management.
The stored XSS vulnerability in the Complianz plugin was identified as a result of a lack of input sanitization and output escaping in the admin settings. Input sanitization is a standard process for checking and securing input data, while output escaping removes unwanted data before it is rendered for the user. With this vulnerability, an attacker would need administrator-level permissions and above to execute the attack, and it only affects specific types of installations, such as multi-site installations and those where unfiltered_html has been disabled.
The severity of the vulnerability is rated 4.4 out of 10, with ten being the highest level of vulnerability. However, users are still advised to update their Complianz plugin to version 6.5.6 or higher, as the vulnerability affects versions equal to or less than 6.5.5. By updating to the latest version, website owners can mitigate the risk of potential attacks exploiting the stored XSS vulnerability.
In conclusion, website owners who use the Complianz plugin for WordPress are urged to take action and update to the latest version to protect their sites from potential security threats. The plugin’s vulnerability, while requiring specific permissions to exploit, underscores the importance of staying proactive in addressing security issues to ensure the safety and compliance of websites with privacy regulations. For further information, users can refer to the Wordfence advisory on the vulnerability.
Read Full Article