{"id":19930,"date":"2024-01-03T23:35:22","date_gmt":"2024-01-03T23:35:22","guid":{"rendered":"https:\/\/afreeurl.com\/?p=19930"},"modified":"2024-01-03T23:35:25","modified_gmt":"2024-01-03T23:35:25","slug":"complianz-wordpress-gdpr-compliance-plugin-vulnerability","status":"publish","type":"post","link":"https:\/\/afreeurl.com\/?p=19930","title":{"rendered":"Complianz WordPress GDPR Compliance Plugin Vulnerability"},"content":{"rendered":"<p><\/p>\n<p>A popular WordPress privacy compliance plugin with over 800,000 installations recently patched a stored XSS vulnerability that could allow an attacker to upload malicious scripts to launch attacks against site visitors.<\/p>\n<h2>Compliant |  GDPR\/CCPA Cookie Consent WordPress Plugin<\/h2>\n<p>The Complianz plugin for WordPress is a powerful tool that helps website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).<\/p>\n<p>The plugin manages multiple facets of user privacy, including blocking third-party cookies, managing cookie consent (including by sub-region), and managing various aspects related to cookie banners.<\/p>\n<p>Its versatility and usefulness can explain the popularity of the tool that currently has more than 800,000 installations.<\/p>\n<h2>XSS vulnerability stored by the Complianz plugin<\/h2>\n<p>The Complianz WordPress plugin was discovered to have a stored XSS vulnerability, which is a type of vulnerability that allows a user to upload a malicious script directly to a website&#8217;s server.  Unlike reflected XSS, which requires a website user to click on a link, stored XSS involves a malicious script stored and published from the target website&#8217;s server.<\/p>\n<p>The vulnerability is in Complianz&#8217;s administration settings, which takes the form of the lack of two security features.<\/p>\n<p><strong>1. Sanitization at entrance<\/strong><br \/>The plugin didn&#8217;t have enough input and output sanitization.  Input sanitization is a standard process of checking what is entered into a website, such as a form field, to ensure that what is entered is what is expected, such as text input instead of loading a script.<\/p>\n<p><strong>the officer <a href=\"https:\/\/developer.wordpress.org\/apis\/security\/sanitizing\/\" target=\"_blank\" rel=\"noopener\">The WordPress Developer Guide describes data sanitization<\/a> how:<\/strong><\/p>\n<p>&#8220;Input sanitization is the process of securing\/cleaning\/filtering input data. Validation is preferred over sanitization because validation is more specific. But when &#8220;more specific&#8221; is not possible, sanitization is the best thing.&#8221;<\/p>\n<p><strong>2. Exhaust outlet<\/strong><br \/>The plugin lacked Output Escaping, which is a security process that removes unwanted data before it is rendered to a user.<\/p>\n<h2>How serious is the vulnerability?<\/h2>\n<p>The vulnerability requires an attacker to obtain administrator and higher permission levels to execute the attack.  This may be the reason why this vulnerability has a score of 4.4 out of 10, ten representing the highest level of vulnerability.<\/p>\n<p>The vulnerability only affects specific types of installations as well.<\/p>\n<p><strong>According to Wordfence:<\/strong><\/p>\n<p>&#8220;This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts into pages that will be executed whenever a user accesses an injected page.<\/p>\n<p>This only affects multisite installations and installations where unfiltered_html has been disabled.&#8221;<\/p>\n<h2>Update to the latest version<\/h2>\n<p>The vulnerability affects Complianz versions equal to or lower than version 6.5.5.  Users are advised to upgrade to version 6.5.6 or higher.<\/p>\n<p><strong>Read Wordfence&#8217;s warning about the vulnerability:<\/strong><\/p>\n<p><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/complianz-gdpr\/complianz-gdprccpa-cookie-consent-655-authenticatedadministrator-stored-cross-site-scripting-via-settings\" target=\"_blank\" rel=\"noopener\">Compliant |  GDPR\/CCPA Cookie Consent <= 6.5.5: Authenticated Stored Cross-Site Scripts (Admin+) via Settings<\/a><\/p>\n<p>[ad_2]<br \/>\n<br \/><a href=\"https:\/\/www.searchenginejournal.com\/complianz-wordpress-plugin-vulnerability\/504992\/\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A popular WordPress privacy compliance plugin with over 800,000 installations recently patched a stored XSS vulnerability that could allow an attacker to upload malicious scripts to launch attacks against site visitors. Compliant | GDPR\/CCPA Cookie Consent WordPress Plugin The Complianz plugin for WordPress is a powerful tool that helps website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The plugin manages multiple facets&#8230; <\/p>\n","protected":false},"author":1,"featured_media":19931,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-19930","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seo-news"],"_links":{"self":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/19930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=19930"}],"version-history":[{"count":1,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/19930\/revisions"}],"predecessor-version":[{"id":19932,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/posts\/19930\/revisions\/19932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=\/wp\/v2\/media\/19931"}],"wp:attachment":[{"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=19930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=19930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afreeurl.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=19930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}