Description
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `”` HTML entities with literal double-quote characters (`"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this vulnerability.
Published: 2026-03-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Complianz – GDPR/CCPA Cookie Consent plugin contains a stored XSS that lets attackers with Contributor‑level or higher privileges inject arbitrary JavaScript into post content. The vulnerable function replaces encoded quotes with literal quotation marks without sanitizing the content, which causes the injected script to run whenever an affected page is viewed. This can lead to session hijacking, cookie theft, defacement, or further exploitation of the victim’s browser.

Affected Systems

WordPress sites running the Complianz plugin on or before version 7.4.4.2 are affected. An authenticated user with Contributor or higher rights can exploit the flaw, and the Classic Editor plugin must be installed and activated for the attack to work.

Risk and Exploitability

The issue scores a moderate CVSS of 4.9 and does not appear in the KEV catalog, and no EPSS data is available. Because exploitation requires authenticated access, the risk depends on the presence of Contributor accounts and the use of the Classic Editor. If those conditions exist, the risk is significant, though widespread public exploitation is unlikely at present.

Generated by OpenCVE AI on March 26, 2026 at 15:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Complianz – GDPR/CCPA Cookie Consent plugin to the latest version (higher than 7.4.4.2).
  • If the Classic Editor plugin is not required for site editing, deactivate or remove it.
  • Review all existing post content and settings for any injected scripts and remove them.
  • Limit or remove contributor‑level accounts to reduce the attack surface.
  • Monitor site logs and traffic for signs of XSS activity or abnormal script execution.

Generated by OpenCVE AI on March 26, 2026 at 15:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Complianz
Complianz complianz – Gdpr/ccpa Cookie Consent
Wordpress
Wordpress wordpress
Vendors & Products Complianz
Complianz complianz – Gdpr/ccpa Cookie Consent
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `&#8221;` HTML entities with literal double-quote characters (`"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this vulnerability.
Title Complianz – GDPR/CCPA Cookie Consent <= 7.4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Filter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Complianz Complianz – Gdpr/ccpa Cookie Consent
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:32.100Z

Reserved: 2026-02-12T02:24:44.168Z

Link: CVE-2026-2389

cve-icon Vulnrichment

Updated: 2026-03-26T14:26:53.136Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T14:16:09.843

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-2389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:44Z

Weaknesses