CVE-2025-3919: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webtoffee WordPress Comments Import & Export
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4
AI Analysis
Technical Summary
CVE-2025-3919 is a medium-severity vulnerability affecting the WordPress Comments Import & Export plugin developed by Webtoffee. The vulnerability arises from improper input neutralization (CWE-79) during web page generation, specifically due to missing capability checks in the save_settings function and insufficient sanitization and escaping of FTP settings parameters. This flaw allows authenticated users with Subscriber-level privileges or higher to inject arbitrary JavaScript code into the plugin's settings page. When an administrative user subsequently accesses the compromised settings page, the injected scripts execute in the context of the administrator's browser session. This cross-site scripting (XSS) vulnerability can lead to unauthorized actions such as session hijacking, privilege escalation, or manipulation of site settings. The vulnerability affects all versions up to and including 2.4.3 of the plugin. A partial fix was introduced in version 2.4.3, with a full remediation implemented in version 2.4.4. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The issue was publicly disclosed on June 2, 2025.
Potential Impact
For European organizations using WordPress websites with the Comments Import & Export plugin, this vulnerability poses a significant risk. Since the exploit requires only Subscriber-level access, which is a low privilege level often granted to registered users or commenters, attackers can leverage compromised or legitimate low-privilege accounts to inject malicious scripts. Execution of these scripts in administrator sessions can lead to theft of administrative credentials, unauthorized changes to website content or settings, and potential deployment of further malware or backdoors. This can result in data breaches, defacement, loss of customer trust, and regulatory non-compliance, especially under GDPR mandates concerning personal data protection. The vulnerability's network-based attack vector means it can be exploited remotely without user interaction, increasing the risk of widespread exploitation if not patched. Given the popularity of WordPress in Europe for business, government, and media websites, the impact can be broad, affecting confidentiality and integrity of sensitive information and operational stability of web services.
Mitigation Recommendations
European organizations should immediately verify the version of the WordPress Comments Import & Export plugin in use and upgrade to version 2.4.4 or later, where the vulnerability is fully patched. Until the update is applied, restrict Subscriber-level user capabilities to the minimum necessary and monitor for unusual activity on the plugin settings page. Implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin's settings endpoints. Conduct regular audits of user accounts to identify and remove unauthorized or dormant accounts that could be leveraged for exploitation. Additionally, enforce multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise. Review and harden WordPress security configurations, including limiting plugin installation and updates to trusted administrators. Finally, educate administrators to be cautious when accessing plugin settings pages and to report any anomalies promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-3919: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webtoffee WordPress Comments Import & Export
Description
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4
AI-Powered Analysis
Technical Analysis
CVE-2025-3919 is a medium-severity vulnerability affecting the WordPress Comments Import & Export plugin developed by Webtoffee. The vulnerability arises from improper input neutralization (CWE-79) during web page generation, specifically due to missing capability checks in the save_settings function and insufficient sanitization and escaping of FTP settings parameters. This flaw allows authenticated users with Subscriber-level privileges or higher to inject arbitrary JavaScript code into the plugin's settings page. When an administrative user subsequently accesses the compromised settings page, the injected scripts execute in the context of the administrator's browser session. This cross-site scripting (XSS) vulnerability can lead to unauthorized actions such as session hijacking, privilege escalation, or manipulation of site settings. The vulnerability affects all versions up to and including 2.4.3 of the plugin. A partial fix was introduced in version 2.4.3, with a full remediation implemented in version 2.4.4. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The issue was publicly disclosed on June 2, 2025.
Potential Impact
For European organizations using WordPress websites with the Comments Import & Export plugin, this vulnerability poses a significant risk. Since the exploit requires only Subscriber-level access, which is a low privilege level often granted to registered users or commenters, attackers can leverage compromised or legitimate low-privilege accounts to inject malicious scripts. Execution of these scripts in administrator sessions can lead to theft of administrative credentials, unauthorized changes to website content or settings, and potential deployment of further malware or backdoors. This can result in data breaches, defacement, loss of customer trust, and regulatory non-compliance, especially under GDPR mandates concerning personal data protection. The vulnerability's network-based attack vector means it can be exploited remotely without user interaction, increasing the risk of widespread exploitation if not patched. Given the popularity of WordPress in Europe for business, government, and media websites, the impact can be broad, affecting confidentiality and integrity of sensitive information and operational stability of web services.
Mitigation Recommendations
European organizations should immediately verify the version of the WordPress Comments Import & Export plugin in use and upgrade to version 2.4.4 or later, where the vulnerability is fully patched. Until the update is applied, restrict Subscriber-level user capabilities to the minimum necessary and monitor for unusual activity on the plugin settings page. Implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin's settings endpoints. Conduct regular audits of user accounts to identify and remove unauthorized or dormant accounts that could be leveraged for exploitation. Additionally, enforce multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise. Review and harden WordPress security configurations, including limiting plugin installation and updates to trusted administrators. Finally, educate administrators to be cautious when accessing plugin settings pages and to report any anomalies promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-24T12:14:07.599Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683ee1eb182aa0cae27396a6
Added to database: 6/3/2025, 11:52:11 AM
Last enriched: 7/11/2025, 7:32:03 AM
Last updated: 8/15/2025, 9:38:53 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.