The vulnerability identified as CVE-2026-2389 affects the Complianz – GDPR/CCPA Cookie Consent plugin for WordPress, specifically all versions up to and including 7.4.4.2. It is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79, caused by improper neutralization of input during web page generation. The root cause lies in the revert_divs_to_summary function, which replaces the HTML entity ” with a literal double-quote character (") in post content but fails to sanitize the resulting content afterward. This flaw enables an attacker with authenticated Contributor-level access or higher to inject arbitrary JavaScript code into pages managed by the plugin. The attack requires the Classic Editor plugin to be installed and active, as it influences how content is processed. Once malicious scripts are stored in the page content, they execute in the browsers of any users who visit the infected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability has a CVSS v3.1 base score of 4.9, indicating medium severity, with an attack vector of network, high attack complexity, low privileges required, no user interaction, and a scope change. No public exploits have been reported yet, but the presence of this vulnerability in a widely used GDPR/CCPA compliance plugin for WordPress sites poses a tangible risk. The vulnerability affects all versions of the plugin prior to the fix, and the lack of a patch link suggests that remediation may require manual updates or vendor intervention.

The primary impact of CVE-2026-2389 is the potential execution of arbitrary JavaScript in the context of affected WordPress sites using the Complianz plugin. This can lead to session hijacking, theft of sensitive user data such as cookies or authentication tokens, defacement of website content, or redirection to malicious sites. Since the vulnerability requires authenticated Contributor-level access, attackers must first compromise or have legitimate access to an account with these privileges, which limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or weak account controls. The exploitation does not require user interaction, increasing the risk once the malicious script is stored. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the immediate plugin, potentially impacting the entire WordPress site and its visitors. Organizations relying on this plugin for cookie consent management could face reputational damage, loss of user trust, and compliance issues if exploited. Although no known exploits are currently in the wild, the widespread use of WordPress and this plugin means the vulnerability could be targeted in the future, especially by attackers seeking to leverage stored XSS for persistent attacks.

To mitigate CVE-2026-2389, organizations should first verify if they are using the Complianz – GDPR/CCPA Cookie Consent plugin version 7.4.4.2 or earlier. Immediate steps include: 1) Updating the plugin to the latest version once a patch is released by the vendor; 2) If no patch is available, temporarily disabling the plugin or restricting Contributor-level access until remediation; 3) Removing or limiting the use of the Classic Editor plugin, as its presence is required for exploitation; 4) Implementing strict user role management and monitoring to ensure only trusted users have Contributor or higher privileges; 5) Employing Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting the plugin; 6) Conducting regular security audits and scanning for malicious scripts in post content; 7) Educating content contributors about safe content practices and the risks of injecting untrusted code; 8) Applying Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. These measures collectively reduce the risk of exploitation until a vendor patch is available.