cleantalk
Vulnerabilities and Security Researches

Complianz – GDPR/CCPA Cookie Consent, CVE-2026-2389

CVE, Research URL

CVE-2026-2389

Home page URL

Security reports for Complianz – GDPR/CCPA Cookie Consent

Application

Complianz – GDPR/CCPA Cookie Consent

Published on
Mar 26, 2026
Research Description
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `”` HTML entities with literal double-quote characters (`"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this vulnerability.
Affected versions
max 7.4.5.
Status
vulnerable
Previous vulnerability researches
Complianz – GDPR/CCPA Cookie Consent (CVE-2026-2389) , Apr 13, 2026
Complianz – GDPR/CCPA Cookie Consent (CVE-2025-11185) , Feb 27, 2026
Complianz – GDPR/CCPA Cookie Consent (CVE-2022-0193) , Jun 06, 2024
Complianz – GDPR/CCPA Cookie Consent (CVE-2022-3494) , Jun 06, 2024
Complianz – GDPR/CCPA Cookie Consent (CVE-2024-1592) , Jun 06, 2024
New vulnerability
Timeline Blocks for Gutenberg (CVE-2026-6551) , Apr 29, 2026
WPC Smart Messages for WooCommerce (CVE-2026-6725) , Apr 29, 2026
Check & Log Email (CVE-2026-5306) , Apr 29, 2026
Complianz – GDPR/CCPA Cookie Consent (CVE-2026-4019) , Apr 29, 2026
Booking Package (CVE-2026-4911) , Apr 29, 2026