Miggo Logo
Miggo Vulnerability Database
CVE-2023-1069

CVE-2023-1069: Complianz WordPress plugin vulnerable to cross-site scripting

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1069
GHSA ID
GHSA-7j4m-f87g-5r9r
EPSS Score
0.3556%
CWE
CWE-79
Published
3/27/2023
Updated
3/31/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
really-simple-plugins/complianz-gdprcomposer< 6.4.26.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical security fixes:- In class-document.php, added sanitize_text_field() and esc_html() for shortcode text attributes- Implemented esc_attr() for service/category in JS/HTML contexts- In functions.php, added sanitize_text_field() for revocation textThese fixes directly correlate to unescaped output of user-controlled shortcode attributes in three main functions. The vulnerability pattern matches WordPress shortcode XSS where attributes are reflected without proper sanitization/escaping. The pre-patch code lacked these security measures, making these functions clear injection points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ompli*nz Pr*mium Wor*Pr*ss plu*in ***or* *.*.* *i* not v*li**t* *n* *s**p* som* o* its s*ort*o** *ttri*ut*s ***or* outputtin* t**m ***k in * p***/post w**r* t** s*ort*o** is *m***, w*i** *oul* *llow us*rs wit* t** *ontri*utor rol* *n* **ov* to p

Reasoning

T** *ommit *i** s*ows *riti**l s**urity *ix*s:- In *l*ss-*o*um*nt.p*p, ***** s*nitiz*_t*xt_*i*l*() *n* *s*_*tml() *or s*ort*o** t*xt *ttri*ut*s- Impl*m*nt** *s*_*ttr() *or s*rvi**/**t**ory in JS/*TML *ont*xts- In *un*tions.p*p, ***** s*nitiz*_t*xt_*i