CVE-2025-3919

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-3919
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4

6.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/comments-import-export-woocommerce/trunk/includes/settings/class-hf_cmt_impexpcsv-settings.php?rev=3278076
https://plugins.trac.wordpress.org/changeset/3288894/
https://plugins.trac.wordpress.org/changeset/3301183/
https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bc8863-04a9-4631-9510-624f98ea1e75?source=cve
Configurations

No configuration.

History

04 Jun 2025, 14:54

Type Values Removed Values Added
Summary
  • (es) El complemento WordPress Comments Import & Export de WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de una comprobación de capacidad en la función save_settings en todas las versiones hasta la 2.4.3 incluida. Además, el complemento no depura ni escapa correctamente los parámetros de configuración FTP. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, inyectar scripts web arbitrarios en la página de configuración del complemento que se ejecutarán cada vez que un usuario administrativo acceda a una página inyectada. La vulnerabilidad se corrigió parcialmente en la versión 2.4.3 y completamente en la versión 2.4.4.

02 Jun 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-02 23:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-3919

Mitre link : CVE-2025-3919

CVE.ORG link : CVE-2025-3919

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')