Vulnerabilities and security researches forcomplianz-gdpr complianz-gdpr

Feb 27, 2026

CVE, Research URL: CVE-2025-11185
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Feb 18, 2026
Research Description: The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 7.4.4.
Status: vulnerable

Feb 25, 2026

PSC, Research URL: PSC-2026-64617
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Feb 25, 2026
Research Description: Cookie consent and privacy-compliance plugins are deceptively security-sensitive because they sit at the intersection of front-end script execution, visitor consent state, and site-wide configuration. They often manage banner templates, block or release third-party scripts, generate legal documents, and store consent-related settings and logs — which means weaknesses can translate into stored/reflected XSS in banners or documents, CSRF-driven configuration changes (silently altering consent behavior), data leakage via misprotected endpoints, or integrity issues in the rules that decide when scripts are allowed to run. Complianz – GDPR/CCPA Cookie Consent version 7.4.4.2 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64617, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for privacy, cookie, and consent-management plugins.
Affected versions: Min 7.4.4.2, max 7.4.4.2.
Status: SAFE & CERTIFIED

Jun 06, 2024

CVE, Research URL: CVE-2022-0193
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Feb 14, 2022
Research Description: The Complianz WordPress plugin before 6.0.0 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
Affected versions: max 6.0.0.
Status: vulnerable

CVE, Research URL: CVE-2022-3494
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Nov 07, 2022
Research Description: The Complianz WordPress plugin before 6.3.4, and Complianz Premium WordPress plugin before 6.3.6 allow a translators to inject arbitrary SQL through an unsanitized translation. SQL can be injected through an infected translation file, or by a user with a translator role through translation plugins such as Loco Translate or WPML.
Affected versions: max 6.3.4.
Status: vulnerable

CVE, Research URL: CVE-2024-1592
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Mar 02, 2024
Research Description: The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.6. This is due to missing or incorrect nonce validation on the process_delete function in class-DNSMPD.php. This makes it possible for unauthenticated attackers to delete GDPR data requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 7.0.0.
Status: vulnerable

CVE, Research URL: CVE-2023-33333
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Nov 30, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugins Complianz, Really Simple Plugins Complianz Premium allows Cross-Site Scripting (XSS).This issue affects Complianz: from n/a through 6.4.4; Complianz Premium: from n/a through 6.4.6.1.
Affected versions: max 6.4.5.
Status: vulnerable

CVE, Research URL: CVE-2023-1069
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Mar 27, 2023
Research Description: The Complianz WordPress plugin before 6.4.2, Complianz Premium WordPress plugin before 6.4.2 do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Affected versions: max 6.4.5.
Status: vulnerable

CVE, Research URL: CVE-2023-6498
Home page URL: Security reports for Complianz – GDPR/CCPA Cookie Consent
Application: Complianz – GDPR/CCPA Cookie Consent
Date: Jan 04, 2024
Research Description: The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 6.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 6.5.6.
Status: vulnerable