March 1st: Authenticated Stored XSS Vulnerability Patched

Last update; March 7 2023

On March 1st 2023, Complianz has patched a medium severity vulnerability in both Free & Premium. This affects Complianz’ versions from 6.0 -> 6.4.1. The latest release 6.4.2 has been patched and released.

We advice to update Complianz to the latest version. For best practices, both WordPress and security and if possible, please enable auto-updates and disable ‘Anyone can register’ under WordPress general settings to mitigate a large portion of authenticated vulnerabilities.

The Authenticated Stored XSS vulnerability can only be leveraged by:

The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where a certain shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The PoC will be displayed on March 20, 2023, to give users the time to update. Source: https://wpscan.com/vulnerability/caacc50c-822e-46e9-bc0b-681349fd0dda

  • An authenticated user e.g. user with login credentials.
  • A capability of ‘contributor’ or higher
  • Specific configuration of Complianz

Join 1M+ users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.