Last update; March 7 2023
On March 1st 2023, Complianz has patched a medium severity vulnerability in both Free & Premium. This affects Complianz’ versions from 6.0 -> 6.4.1. The latest release 6.4.2 has been patched and released.
We advice to update Complianz to the latest version. For best practices, both WordPress and security and if possible, please enable auto-updates and disable ‘Anyone can register’ under WordPress general settings to mitigate a large portion of authenticated vulnerabilities.
The Authenticated Stored XSS vulnerability can only be leveraged by:
The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where a certain shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The PoC will be displayed on March 20, 2023, to give users the time to update. Source: https://wpscan.com/vulnerability/caacc50c-822e-46e9-bc0b-681349fd0dda
- An authenticated user e.g. user with login credentials.
- A capability of ‘contributor’ or higher
- Specific configuration of Complianz