CVE-2025-3919: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webtoffee Comments Import & Export
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4
AI Analysis
Technical Summary
CVE-2025-3919 is a cross-site scripting vulnerability in the WordPress Comments Import & Export plugin caused by missing capability checks on the save_settings function and improper sanitization and escaping of FTP settings parameters. Authenticated users with Subscriber-level privileges or higher could inject arbitrary web scripts that execute when an administrator accesses the affected plugin settings page. The vulnerability was partially addressed in version 2.4.3 and fully resolved in version 2.4.4.
Potential Impact
An attacker with at least Subscriber-level access can inject malicious scripts into the plugin settings page, potentially leading to unauthorized actions performed in the context of an administrative user. This can result in limited confidentiality and integrity impacts but does not affect availability. The CVSS score of 6.4 reflects a medium severity level with network attack vector and low attack complexity.
Mitigation Recommendations
Users should upgrade the Comments Import & Export plugin to version 2.4.4 or later, where the vulnerability is fully fixed. Versions up to and including 2.4.3 contain partial fixes and remain vulnerable. No other mitigations are specified. Patch status is confirmed fixed in version 2.4.4.
CVE-2025-3919: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webtoffee Comments Import & Export
Description
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3919 is a cross-site scripting vulnerability in the WordPress Comments Import & Export plugin caused by missing capability checks on the save_settings function and improper sanitization and escaping of FTP settings parameters. Authenticated users with Subscriber-level privileges or higher could inject arbitrary web scripts that execute when an administrator accesses the affected plugin settings page. The vulnerability was partially addressed in version 2.4.3 and fully resolved in version 2.4.4.
Potential Impact
An attacker with at least Subscriber-level access can inject malicious scripts into the plugin settings page, potentially leading to unauthorized actions performed in the context of an administrative user. This can result in limited confidentiality and integrity impacts but does not affect availability. The CVSS score of 6.4 reflects a medium severity level with network attack vector and low attack complexity.
Mitigation Recommendations
Users should upgrade the Comments Import & Export plugin to version 2.4.4 or later, where the vulnerability is fully fixed. Versions up to and including 2.4.3 contain partial fixes and remain vulnerable. No other mitigations are specified. Patch status is confirmed fixed in version 2.4.4.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-24T12:14:07.599Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683ee1eb182aa0cae27396a6
Added to database: 6/3/2025, 11:52:11 AM
Last enriched: 4/9/2026, 10:18:37 AM
Last updated: 5/8/2026, 3:31:13 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.