The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay

WORDPRESS

15-07-2025 07:20

CVE-2025-4369 Vulnerabilidad documentada

5.5 MEDIUM

Tags

#wordpress

#site

#plugin

#cross

#where

#web

#lte

#cross-site

#admin

#/admin(.*)lte/iU

#admin lte

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

#affect

Descripción

The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay_days’ parameter in all versions up to, and including, 3.9.2 due insufficient input sanitization output escaping. This makes it possible authenticated attackers, with administrator-level access, inject arbitrary web scripts pages that will execute whenever a user accesses an injected page. only affects multi-site installations where unfiltered_html has been disabled.

https://plugins.trac.wordpress.org/browser/companion-auto-update/tags/3.9.2/admin/dashboard.php#L71

https://plugins.trac.wordpress.org/changeset/3325878/

https://wordpress.org/plugins/companion-auto-update/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c61072-5480-43f3-ad9f-ed3f0d577ebc?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-4369

Resultados similares

Coincidentes en almenos en 50% de los tags

15-07-2025 CVE-2025-7667
The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in al...
Ver información

15-07-2025 CVE-2025-7367
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via t...
Ver información