CVE-2025-3919: 
WordPress vulnerability analysis and mitigation

The WordPress Comments Import & Export plugin for WordPress contains a vulnerability (CVE-2025-3919) discovered in versions up to and including 2.4.3. The vulnerability was disclosed on June 2, 2025, and affects the plugin's save_settings function due to a missing capability check. This security issue impacts the plugin's settings page and data handling functionality (NVD).

The vulnerability stems from two key issues: a missing capability check in the save_settings function and improper sanitization of FTP settings parameters. This combination allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts on the plugin's settings page. The injected scripts execute when administrative users access the affected page. The vulnerability has a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Cross-site Scripting) (NVD, Wordfence).

The vulnerability allows authenticated attackers to inject malicious web scripts that execute in the context of administrative users when they access the compromised settings page. This could lead to unauthorized data modification and potential exposure of sensitive information through the execution of arbitrary JavaScript code (NVD).

The vulnerability was partially fixed in version 2.4.3 and fully patched in version 2.4.4. Users are strongly advised to update to version 2.4.4 to fully mitigate the security risk. The fix addresses both the capability check issue and the FTP settings parameter sanitization vulnerabilities (WordPress Plugin).