Complianz WordPress GDPR Compliance Plugin Vulnerability

Jan 3, 2024 | SEO News Feeds | 0 comments



SEO Content Writing Service

A popular WordPress plugin for privacy compliance with over 800,000 installations recently patched a stored XSS vulnerability that could allow an attacker to upload malicious scripts for launching attacks against site visitors.

Complianz | GDPR/CCPA Cookie Consent WordPress Plugin

The Complianz plugin for WordPress is a powerful tool that helps website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The plugin manages multiple facets of user privacy including blocking third-party cookies, managing cookie consent (including per subregion), and managing multiple aspects related to cookie banners.

It’s versatility and usefulness may account for the popularity of the tool which currently has over 800,000 installations.

Complianz Plugin Stored XSS Vulnerability

The Complianz WordPress plugin was discovered to have a stored XSS vulnerability which is a type of vulnerability that allows a user to upload a malicious script directly to the website server. Unlike a reflected XSS that requires a website user to click a link, a stored XSS involves a malicious script stored and served from the target website’s server.

The vulnerability is in the Complianz admin settings which is in the form of a lack of two security functions.

1. Input Sanitization
The plugin lacked sufficient input sanitization and output escaping. Input sanitization is a standard process for checking what’s input into a website, like into a form field, to make sure that what’s input is what’s expected, like a text input as opposed to a script upload.

The official WordPress developer guide describes data sanitization as:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

2. Escaping Output
The plugin lacked Output Escaping which is a security process that removes unwanted data before it gets rendered for a user.

How Serious Is The Vulnerability?

The vulnerability requires the attacker to obtain admin permission levels and higher in order to execute the attack. That may be the reason why this vulnerability is scored 4.4 out of 10, with ten representing the highest level of vulnerability.

Attorney Websites For Sale 4ebusiness Media Group

The vulnerability only affects specific kinds of installations, too.

According to Wordfence:

“This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This only affects multi-site installations and installations where unfiltered_html has been disabled.”

Update To Latest Version

The vulnerability affects Complianz versions equal to or less than version 6.5.5. Users are encouraged to update to version 6.5.6 or higher.

Read the Wordfence advisory about the vulnerability:

Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings

Source link


Anxiety Stress Management

Live a Life of Contentment eBook We all want to be satisfied, even though we know some people who will never be that way, and others who see satisfaction as a foreign emotion that they can’t hope to ever feel.

Newspaper Ads Canyon Crest CA

Click To See Full Page Ads

Click To See Half Page Ads

Click To See Quarter Page Ads

Click To See Business Card Size Ads

If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com Like us on Facebook Here

You May Also Like

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Contact Us

Contact Us

Personal Injury Attorney

Websites For Sale Personal Injury Attorneys

Criminal Defense Attorneys

Websites For Sale Criminal Defense Attorney

Bankruptcy Attorneys

Websites For Sale Bankruptcy Attorneys

General Practice Attorneys

Websites For Sale General Practice Attorneys

Family Attorneys

Websites For Sale Family Attorneys

Corporate Attorneys

Websites For Sale Corporate Attorneys

Home Privacy Policy Terms Of Use Anti Spam Policy Contact Us Affiliate Disclosure Amazon Affiliate Disclaimer DMCA Earnings Disclaimer