CVE-2025-4369
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| papin_schipper | companion_auto_update | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-4369 is a Stored Cross-Site Scripting (XSS) vulnerability in the Companion Auto Update WordPress plugin (versions up to and including 3.9.2). It arises from insufficient input sanitization and output escaping of the 'update_delay_days' parameter. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages, which execute whenever a user accesses those pages. This vulnerability specifically affects multi-site installations or installations where the 'unfiltered_html' capability is disabled. [3]
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator privileges to inject malicious scripts into the plugin's pages. These scripts can execute in the context of other users visiting the affected pages, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of other users. Since it is a stored XSS, the malicious code persists and can affect multiple users. The impact is limited to multi-site installations or those with 'unfiltered_html' disabled, but it still poses a significant security risk. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Companion Auto Update WordPress plugin versions up to and including 3.9.2, specifically in multisite installations with unfiltered_html disabled. Detection involves verifying the plugin version installed on your WordPress multisite environment. You can check the plugin version via the WordPress admin dashboard or by running the following WP-CLI command: `wp plugin list --format=json | jq '.[] | select(.name=="companion-auto-update") | {name,version,status}'`. If the version is 3.9.2 or earlier, the site is vulnerable. Additionally, monitoring for unusual script injections in pages where the 'update_delay_days' parameter is used may indicate exploitation. Since this is a stored XSS vulnerability requiring administrator access, reviewing recent changes or suspicious admin activity logs may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the Companion Auto Update plugin to version 3.9.3 or later, as this version includes security fixes that improve input sanitization and output escaping to prevent stored cross-site scripting attacks. If updating immediately is not possible, restrict administrator-level access to trusted users only, especially on multisite installations with unfiltered_html disabled. Additionally, monitor and audit admin activities for suspicious behavior. Applying the update will ensure that the plugin uses proper sanitization and escaping functions, mitigating the risk of arbitrary script injection. [3]