Search
Close this search box.

Documentation

In this article

Category:

Categories

Recent articles

October 14th: Vulnerability Patched in Complianz

About the Authenticated SQL Injection Vulnerability

In short, an Authenticated SQL Injection is fixed in the latest Complianz update for both Free and Premium last week. We advice to keep your plugins updated, and read below for more information.

What happened?

We received a report of an Authenticated SQL injection vulnerability in Complianz (free version 6.3.3 & Premium version 6.3.3 – 6.3.5) on October 12th.

We immediately started validation and confirmed that improper sanitation of a translatable string made it possible for a malicious, authenticated (logged-in) translator to insert code that Complianz would execute under very specific conditions and when a specific setting was enabled (Disabled by default).

We released an update to both the Free (6.3.4) and Premium (6.3.6) versions of Complianz on Friday, October 14 that removed the vulnerability and we advice everyone to install the latest update.

Although SQL injections are a serious issue, we would like to remind you that this specific vulnerability was only exploitable in very specific circumstances with specific settings in Complianz. We have no indications that the vulnerability was exploited.

If you have any questions, please contact to our support team. We thank @saggre for the discovery and coördinated disclosure of this vulnerability, keeping our WordPress ecosystem safe.

Join 900.000 users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.