CVE-2025-2575: 
WordPress vulnerability analysis and mitigation

The Z Companion plugin for WordPress (CVE-2025-2575) is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions up to and including 1.1.1. The vulnerability was discovered and disclosed on April 11, 2025. This security issue affects WordPress installations with both the Z Companion plugin and Royal Shop theme installed (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's file upload functionality. The issue allows authenticated users with Author-level access or higher to inject arbitrary web scripts through SVG file uploads. These malicious scripts are then executed whenever a user accesses the uploaded SVG file. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (Wordfence).

When exploited, this vulnerability allows attackers with Author-level privileges to inject malicious scripts that execute in users' browsers when viewing affected pages. This could lead to session hijacking, credential theft, or other client-side attacks against site visitors and administrators (NVD).

The vulnerability has been patched in version 1.1.2 of the Z Companion plugin. The update adds SVG sanitization through the wp_handle_upload_prefilter filter and implements proper sanitization for file uploads. Users are advised to update to version 1.1.2 or later to protect against this vulnerability (WordPress Plugin).