We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Complianz  GDPR/CCPA Cookie Consent plugin for WordPress (CVE-2025-11185)

Nick Paliughi
On this page

Security Alert Summary

The Complianz  GDPR/CCPA Cookie Consent plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its cmplz-accept-link shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allow authenticated users with contributor-level access or higher to inject scripts that execute when an affected page is viewed.

CVE Details

  • CVE ID: CVE-2025-11185
  • Affected plugin / component: The Complianz  GDPR/CCPA Cookie Consent plugin for WordPress (shortcode: cmplz-accept-link)
  • Affected versions: all versions up to, and including, 7.4.3 (as stated in the CVE entry)
  • Published: February 18, 2026 at 10:16:13 AM UTC
  • Last modified: February 18, 2026 at 5:51:53 PM UTC
  • CVSS v3.1: Base Score 6.4, Severity MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires authentication; privileges required: LOW (authenticated attackers with contributor-level access and above, per the description); user interaction: NONE
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE / weakness: CWE-79 (Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping of user-supplied attributes in the plugin’s cmplz-accept-link shortcode. Because attributes provided to the shortcode are not properly sanitized or escaped before being rendered, an authenticated user with contributor-level access or higher can insert arbitrary HTML or JavaScript payloads into pages where the shortcode is used. Those payloads are stored and will execute in the browser of any user who views the injected page.

The entry identifies the root cause as missing or inadequate validation and escaping on shortcode attributes. No additional endpoints, functions, or fixes are specified in the CVE entry beyond the named shortcode and the general cause (insufficient sanitization and escaping).

How This Could Impact Your Website

Consider a site with the following roles: a site owner who manages plugins and themes, internal staff who create content, and external contributors who submit posts. If a contributor-level user inserts a malicious payload via the affected cmplz-accept-link shortcode in a page or post, that script can execute in the browsers of other users who view the injected content.

  • Internal staff or administrators who preview or view affected pages could have session information or page-specific data exposed to the injected script, depending on their browser context.
  • Exposure of internal email addresses or other page content could increase the risk of targeted phishing or social-engineering attacks against staff or contributors.
  • While this vulnerability is an XSS issue (confidentiality and integrity impacts rated LOW), it can be leveraged for targeted attacks such as credential theft, session token capture, or displaying misleading content to users.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry specifies affected versions up to 7.4.3; a fixed version is not specified in the CVE.)
  • Review and reduce unnecessary user roles, especially contributor-level accounts that can create or edit content containing shortcodes.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins and audit active shortcodes used in published content.
  • Monitor site activity and logs for unusual behavior or unexpected content changes on pages that include user-editable shortcodes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Advanced Ads – Ad Manager & AdSense Plugin Vulnerability (CVE-2025-12884)
Next Post
WordPress Security Bulletin: PDF Invoices & Packing Slips for WooCommerce Plugin Vulnerability (CVE-2026-1906)