CVE-2025-3919 is a medium-severity vulnerability affecting the WordPress Comments Import & Export plugin developed by Webtoffee. The vulnerability arises from improper input neutralization (CWE-79) during web page generation, specifically due to missing capability checks in the save_settings function and insufficient sanitization and escaping of FTP settings parameters. This flaw allows authenticated users with Subscriber-level privileges or higher to inject arbitrary JavaScript code into the plugin's settings page. When an administrative user subsequently accesses the compromised settings page, the injected scripts execute in the context of the administrator's browser session. This cross-site scripting (XSS) vulnerability can lead to unauthorized actions such as session hijacking, privilege escalation, or manipulation of site settings. The vulnerability affects all versions up to and including 2.4.3 of the plugin. A partial fix was introduced in version 2.4.3, with a full remediation implemented in version 2.4.4. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The issue was publicly disclosed on June 2, 2025.

For European organizations using WordPress websites with the Comments Import & Export plugin, this vulnerability poses a significant risk. Since the exploit requires only Subscriber-level access, which is a low privilege level often granted to registered users or commenters, attackers can leverage compromised or legitimate low-privilege accounts to inject malicious scripts. Execution of these scripts in administrator sessions can lead to theft of administrative credentials, unauthorized changes to website content or settings, and potential deployment of further malware or backdoors. This can result in data breaches, defacement, loss of customer trust, and regulatory non-compliance, especially under GDPR mandates concerning personal data protection. The vulnerability's network-based attack vector means it can be exploited remotely without user interaction, increasing the risk of widespread exploitation if not patched. Given the popularity of WordPress in Europe for business, government, and media websites, the impact can be broad, affecting confidentiality and integrity of sensitive information and operational stability of web services.

European organizations should immediately verify the version of the WordPress Comments Import & Export plugin in use and upgrade to version 2.4.4 or later, where the vulnerability is fully patched. Until the update is applied, restrict Subscriber-level user capabilities to the minimum necessary and monitor for unusual activity on the plugin settings page. Implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin's settings endpoints. Conduct regular audits of user accounts to identify and remove unauthorized or dormant accounts that could be leveraged for exploitation. Additionally, enforce multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise. Review and harden WordPress security configurations, including limiting plugin installation and updates to trusted administrators. Finally, educate administrators to be cautious when accessing plugin settings pages and to report any anomalies promptly.