controller/controller-comments.php in WP GDPR plugin through 2.1.1 has unauthenticated stored XSS.