CVE-2025-2575 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Z Companion plugin for WordPress. The vulnerability exists in all versions up to and including 1.1.1 due to improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape SVG file uploads, allowing authenticated users with Author-level privileges or higher to embed arbitrary JavaScript code within SVG files. When these SVG files are accessed by any user, the malicious scripts execute in the context of the victim's browser, potentially leading to session hijacking, data theft, or further exploitation. This vulnerability requires the Royal Shop theme to be installed, which is a prerequisite for the exploit to function, thereby narrowing the affected population. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required at the Author level. The vulnerability impacts confidentiality and integrity but does not affect availability. No user interaction is needed beyond viewing the malicious SVG file. There are no known exploits in the wild at the time of publication, but the vulnerability's nature makes it a significant risk for websites using the affected plugin and theme combination. The lack of available patches at the time of reporting necessitates immediate attention to mitigation strategies.

The primary impact of CVE-2025-2575 is on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers with Author-level access to inject persistent malicious scripts that execute in the browsers of any user viewing the compromised SVG files. This can lead to session hijacking, theft of sensitive user information, unauthorized actions performed on behalf of users, and potential spread of malware. Since the vulnerability requires authentication at the Author level, the risk is somewhat mitigated by the need for an attacker to have some level of access, but insider threats or compromised accounts elevate the risk significantly. The requirement for the Royal Shop theme limits the scope but does not eliminate it, as many e-commerce or content sites may use this theme. The vulnerability does not impact availability, so denial of service is unlikely. However, the breach of user trust and potential data leakage can cause reputational damage and regulatory consequences for organizations. Given WordPress's widespread use, especially in small to medium-sized businesses and e-commerce, the vulnerability could affect a broad range of organizations globally.

To mitigate CVE-2025-2575 effectively, organizations should first verify if they are using the Z Companion plugin in conjunction with the Royal Shop theme. If so, immediate steps include restricting Author-level privileges to trusted users only and auditing existing SVG uploads for suspicious content. Since no official patch is available at the time of reporting, administrators should consider disabling SVG uploads or the Z Companion plugin temporarily to prevent exploitation. Implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious SVG payloads can provide an additional layer of defense. Regularly monitoring logs for unusual activity related to SVG file uploads or accesses is recommended. Once a patch or update is released by the vendor, prompt application is critical. Additionally, educating users about the risks of privilege escalation and enforcing strong authentication mechanisms can reduce the likelihood of an attacker gaining the necessary access level. Employing Content Security Policy (CSP) headers to restrict script execution sources may also help mitigate the impact of injected scripts.