A popular WordPress plugin designed for privacy compliance with over 800,000 installations recently patched a stored XSS vulnerability that could allow an attacker to upload malicious scripts, potentially launching attacks against site visitors.
Complianz: GDPR/CCPA Cookie Consent WordPress Plugin
The Complianz plugin for WordPress is an essential tool that helps website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The plugin manages multiple facets of user privacy, including blocking third-party cookies, managing cookie consent (including per subregion), and handling various aspects related to cookie banners. Its versatility and utility likely contribute to its popularity, with the tool currently boasting over 800,000 installations.
Complianz Plugin Stored XSS Vulnerability
The Complianz WordPress plugin was found to have a stored XSS vulnerability. This type of vulnerability allows a user to upload a malicious script directly to the website server. Unlike a reflected XSS that requires a website user to click a link, a stored XSS involves a malicious script stored and served from the target website’s server.
The vulnerability resides in the Complianz admin settings due to a lack of two critical security functions:
1. Input Sanitization
The plugin lacked sufficient input sanitization and output escaping. Input sanitization is a standard process for checking what’s input into a website, like a form field, ensuring that what’s input is what’s expected, for example, text input instead of a script upload.
The official WordPress developer guide describes data sanitization as:
"Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when ‘more specific’ isn’t possible, sanitization is the next best thing."
2. Escaping Output
The plugin also lacked output escaping, a security process that removes unwanted data before it gets rendered for a user.
How Serious Is The Vulnerability?
The vulnerability requires the attacker to obtain admin permission levels or higher to execute the attack. This might be why this vulnerability is scored 4.4 out of 10, with ten representing the highest level of vulnerability. Additionally, the vulnerability only affects specific kinds of installations.
According to Wordfence:
"This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
Update to Latest Version
The vulnerability affects Complianz versions equal to or less than version 6.5.5. Users are advised to update to version 6.5.6 or higher.
Read the Wordfence advisory about the vulnerability:
Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated (Administrator+) Stored Cross-site Scripting via settings.
