The Vulnerable Complianz – GDPR/CCPA Cookie Consent plugin allows stored cross‑site scripting by way of its cmplz‑accept‑link shortcode. Because input supplied to attributes of the shortcode is neither sanitized nor escaped, an attacker can inject arbitrary JavaScript that will execute in the browsers of all users who view the injected page. This capability permits a wide range of malicious actions, such as session hijacking, credential theft, or defacement, and, due to the plugin's presence on WordPress sites, it can affect any site that has used this shortcode.

The flaw impacts the Complianz – GDPR/CCPA Cookie Consent WordPress plugin, versions up to and including 7.4.3. Sites that are running any of these versions and that expose the cmplz‑accept‑link shortcode to contributor‑level or higher users are affected. Specific product names are derived from the CNA data, and no further version details beyond 7.4.3 are provided in the source.

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% shows a very low but non‑zero probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation has been reported. An attacker must be authenticated with contributor privileges or higher and must have the ability to add or edit content containing the shortcode. Successful exploitation would allow the attacker to embed malicious scripts that execute on every visitor’s browser, potentially compromising credentials, data, or the site’s reputation.