CVE-2023-6498: 
WordPress vulnerability analysis and mitigation

The Complianz – GDPR/CCPA Cookie Consent WordPress plugin (versions up to and including 6.5.5) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2023-6498. The vulnerability was discovered and disclosed on January 3, 2024, affecting administrator-level users in multi-site installations and systems where unfiltered_html has been disabled (CVE Mitre).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. This security flaw allows authenticated users with administrator-level permissions to inject arbitrary web scripts that execute when users access the affected pages. The issue specifically impacts WordPress multi-site installations and systems where the unfiltered_html capability has been disabled (WPScan).

When exploited, this vulnerability allows administrator-level users to perform Stored Cross-Site Scripting attacks by injecting malicious web scripts into pages. These scripts will execute whenever a user accesses the compromised pages, potentially leading to session hijacking, credential theft, or other malicious actions (CVE Mitre).

The vulnerability has been patched in version 6.5.6 of the Complianz plugin. The update prevents administrators from saving JavaScript in the CSS editor. Users are strongly advised to update to this version to mitigate the security risk (WordPress Plugin Repository).