October 14th: Vulnerability Patched in Complianz

Get compliant today in the European Union, United States, Canada, United Kingdom, Australia, Brazil & South Africa with the only Privacy Suite for WordPress that offers a fully-featured plugin for Worldwide Compliance.

About the Authenticated SQL Injection Vulnerability

In short, an Authenticated SQL Injection is fixed in the latest Complianz update for both Free and Premium last week. We advice to keep your plugins updated, and read below for more information.

What happened?

We received a report of an Authenticated SQL injection vulnerability in Complianz (free version 6.3.3 & Premium version 6.3.3 – 6.3.5) on October 12th.

We immediately started validation and confirmed that improper sanitation of a translatable string made it possible for a malicious, authenticated (logged-in) translator to insert code that Complianz would execute under very specific conditions and when a specific setting was enabled (Disabled by default).

We released an update to both the Free (6.3.4) and Premium (6.3.6) versions of Complianz on Friday, October 14 that removed the vulnerability and we advice everyone to install the latest update.

Although SQL injections are a serious issue, we would like to remind you that this specific vulnerability was only exploitable in very specific circumstances with specific settings in Complianz. We have no indications that the vulnerability was exploited.

If you have any questions, please contact to our support team. We thank @saggre for the discovery and coördinated disclosure of this vulnerability, keeping our WordPress ecosystem safe.

Recent articles

The Privacy Suite for WordPress
Get compliant today with the only Privacy Suite made for WordPress

Categories

Popular articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!