CVE-2023-6498 in Complianz Plugin
Summary
by MITRE • 01/04/2024
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 6.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The CVE-2023-6498 vulnerability affects the Complianz GDPR/CCPA Cookie Consent plugin for WordPress, representing a critical stored cross-site scripting flaw that compromises the security of affected installations. This vulnerability exists in all versions up to and including 6.5.5, making it a widespread concern for WordPress administrators who rely on this popular compliance plugin. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's administrative settings functionality, creating a persistent vector for malicious code injection that can affect multiple users within the compromised environment.
The technical nature of this vulnerability places it squarely within the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS variant where malicious scripts are permanently stored on the server and executed when other users access affected pages. Attackers with administrator-level permissions or higher can exploit this weakness by injecting malicious JavaScript code through the plugin's administrative interface, which then gets stored in the database and executed whenever legitimate users access pages containing the injected content. This particular vulnerability requires elevated privileges to exploit, as it targets the administrative settings rather than public-facing interfaces, but the impact remains severe given the privileged access required.
The operational impact of CVE-2023-6498 is particularly concerning in multi-site WordPress installations where the vulnerability is confirmed to exist, as these environments often host multiple organizations or departments under a single administrative umbrella. When unfiltered_html is disabled on affected installations, the vulnerability becomes more pronounced because the normal security measures that would otherwise prevent script execution are bypassed. This creates a scenario where attackers can execute arbitrary web scripts that could potentially steal session cookies, redirect users to malicious sites, or perform other malicious activities that compromise user data and system integrity. The stored nature of the vulnerability means that the injected scripts persist indefinitely until manually removed, creating ongoing security risks for all users who access pages containing the malicious content.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the Complianz plugin where the XSS vulnerability has been patched, conducting thorough security audits of administrative settings, and implementing additional monitoring for suspicious administrative activities. The ATT&CK framework categorizes this vulnerability under T1059.007 for Command and Scripting Interpreter: JavaScript, and T1547.001 for Registry Run Keys / Startup Folder, as attackers could potentially use this vulnerability to establish persistent access through malicious script injection. Security teams should also consider implementing network monitoring to detect unusual script execution patterns and establish more robust input validation procedures for administrative interfaces. Additionally, organizations should review their WordPress multisite configurations and ensure that appropriate permissions are enforced to limit the scope of potential exploitation, as the vulnerability specifically targets environments where administrative privileges can be leveraged to inject malicious code into the system.