CVE-2022-3494 is a high-severity SQL Injection vulnerability (CWE-89) found in the Complianz – GDPR/CCPA Cookie Consent WordPress plugin versions prior to 6.3.4 (and Complianz Premium prior to 6.3.6). This plugin is widely used to manage cookie consent and compliance with privacy regulations such as GDPR and CCPA. The vulnerability arises because the plugin fails to properly sanitize input from translation files or from users assigned the translator role. Specifically, an attacker with translator privileges or an attacker who can supply a malicious translation file (e.g., via compromised translation plugins like Loco Translate or WPML) can inject arbitrary SQL commands into the backend database queries. This can lead to unauthorized data access, modification, or deletion, impacting confidentiality, integrity, and availability of the WordPress site’s data. The CVSS 3.1 score of 8.8 reflects the vulnerability’s network exploitable nature (no user interaction needed), low attack complexity, and the requirement of low privileges (translator role). Exploitation does not require user interaction but does require authenticated access with translator privileges or the ability to upload or modify translation files. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the potential for full database compromise, data leakage, or site defacement. The vulnerability affects a critical compliance plugin, making it a high-value target for attackers aiming to disrupt or extract sensitive data from European organizations subject to GDPR compliance.

For European organizations, this vulnerability is particularly impactful because the Complianz plugin is designed to help comply with GDPR cookie consent requirements, making it prevalent among EU-based websites. Exploitation could lead to unauthorized access to sensitive user data, including personal information collected for compliance purposes, thereby violating GDPR mandates and potentially resulting in heavy regulatory fines and reputational damage. The ability to execute arbitrary SQL commands could allow attackers to exfiltrate personal data, modify or delete records, or escalate privileges within the WordPress environment. This could disrupt business operations, compromise customer trust, and expose organizations to legal liabilities. Since many European companies rely on WordPress for their web presence and use Complianz for compliance, the threat surface is significant. Additionally, the vulnerability could be leveraged in supply chain attacks if attackers compromise translation files distributed to multiple sites. The lack of known exploits in the wild does not diminish the risk, as the vulnerability’s characteristics make it a prime candidate for targeted attacks against European entities handling sensitive personal data.

Organizations should immediately update the Complianz plugin to version 6.3.4 or later (and Complianz Premium to 6.3.6 or later) to remediate this vulnerability. Beyond patching, organizations should restrict the translator role to trusted users only and audit existing users with translator privileges to ensure no unauthorized accounts exist. It is advisable to limit or monitor the use of third-party translation plugins such as Loco Translate or WPML, especially regarding who can upload or modify translation files. Implementing strict file integrity monitoring on translation files can help detect unauthorized changes. Web application firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting the plugin’s endpoints. Regular security audits and vulnerability scans focusing on WordPress plugins should be conducted to identify outdated or vulnerable components. Finally, organizations should review their incident response plans to quickly address potential exploitation and data breaches related to this vulnerability.