Stored Cross-Site Scripting Vulnerability in Z Companion Plugin for WordPress
CVE-2025-2575

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Z Companion
Vendor: CVE Published:; 11 April 2025

What is CVE-2025-2575?

The Z Companion plugin for WordPress contains a vulnerability that allows authenticated users with author-level access and above to exploit stored cross-site scripting (XSS) through SVG file uploads. This vulnerability arises from the lack of proper input sanitization and output escaping, enabling attackers to inject malicious web scripts that will execute whenever a user accesses the affected SVG file. The vulnerability specifically requires the Royal Shop theme to be installed to facilitate the exploit, raising concerns about the overall security of WordPress sites utilizing this plugin.

Affected Version(s)

Z Companion * <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/z-companion/tr...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2025
Vulnerability Reserved
Mar 20, 2025

Credit

Avraham Shemesh