CVE-2025-4369

The Companion Auto Update plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping on the 'update_delay_days' parameter [1]. This affects all versions up to and including 3.9.2. The vulnerability stems from the plugin's failure to properly sanitize user input before storing it and later rendering it in pages, allowing arbitrary script injection.

Exploitation requires an attacker with administrator-level access, but only on multi-site installations or where the 'unfiltered_html' capability has been disabled [1]. The attacker can inject arbitrary web scripts via the 'update_delay_days' parameter, which will be stored and executed whenever a user accesses the affected page. This means the attack surface is limited to environments with the mentioned configurations.

The impact of successful exploitation is the execution of malicious scripts in the context of the administrator's session. This could lead to actions such as creating new admin accounts, defacing the site, or stealing sensitive information like cookies and session tokens [1]. The vulnerability is classified as medium severity with a CVSS score of 5.5.

As of the publication date, no patch has been released, but users are advised to update the plugin when a new version becomes available [1]. Administrators should also review their site's configuration, ensuring 'unfiltered_html' is properly restricted, especially on multi-site installations, to mitigate the risk.