{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4369", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-05T19:26:49.897Z", "datePublished": "2025-07-15T09:22:51.602Z", "dateUpdated": "2026-04-08T17:17:04.286Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:04.286Z"}, "affected": [{"vendor": "papin", "product": "Companion Auto Update", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018update_delay_days\u2019 parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Companion Auto Update <= 3.9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c61072-5480-43f3-ad9f-ed3f0d577ebc?source=cve"}, {"url": "https://wordpress.org/plugins/companion-auto-update/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/companion-auto-update/tags/3.9.2/admin/dashboard.php#L71"}, {"url": "https://plugins.trac.wordpress.org/changeset/3325878/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-07-14T20:39:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-15T13:20:19.180360Z", "id": "CVE-2025-4369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T13:20:38.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-15T13:20:19.180360Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T13:20:32.262Z"}}], "cna": {"title": "Companion Auto Update <= 3.9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "papin", "product": "Companion Auto Update", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.9.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-14T20:39:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c61072-5480-43f3-ad9f-ed3f0d577ebc?source=cve"}, {"url": "https://wordpress.org/plugins/companion-auto-update/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/companion-auto-update/tags/3.9.2/admin/dashboard.php#L71"}, {"url": "https://plugins.trac.wordpress.org/changeset/3325878/"}], "descriptions": [{"lang": "en", "value": "The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018update_delay_days\u2019 parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:04.286Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4369", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:04.286Z", "dateReserved": "2025-05-05T19:26:49.897Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-15T09:22:51.602Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018update_delay_days\u2019 parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El complemento Companion Auto Update para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro \u00abupdate_delay_days\u00bb en todas las versiones hasta la 3.9.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de administrador, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio y a instalaciones donde se ha deshabilitado \u00abunfiltered_html\u00bb."}], "id": "CVE-2025-4369", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-15T10:15:22.957", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/companion-auto-update/tags/3.9.2/admin/dashboard.php#L71"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3325878/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/companion-auto-update/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c61072-5480-43f3-ad9f-ed3f0d577ebc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T04:01:19.299128+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Companion Auto Update plug\u2011in version (3.9.3 or newer) which fixes the input sanitization issue", "If an upgrade is not possible, remove any custom value for update_delay_days or reset the option to an empty string", "Restrict the administrator role so that only trusted accounts can edit plugin options, or disable the unfiltered_html capability for the multisite network", "Use a web\u2011application firewall or similar security plugin to block XSS payloads in output as a temporary safeguard"], "summary": {"action": "Update Plugin", "impact": "Authenticated Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations running Companion Auto Update version 3.9.2 or earlier on a WordPress multisite network where the unfiltered_html capability has been disabled are affected. The vulnerability is limited to the plugin and does not affect other WordPress core components.", "description_and_impact": "The Companion Auto Update plugin contains a stored cross\u2011site scripting flaw that lets an authenticated user with administrator privileges modify the update_delay_days option. The value entered is stored without sanitization and later rendered in administrative pages without proper output escaping. As a result, a malicious administrator can inject JavaScript that will execute in the browsers of any user who views the affected page. This can lead to arbitrary script execution within the context of the site.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates a moderate risk level. The EPSS score of less than 1\u202f% suggests that exploitation attempts are rare at present. The flaw is not included in CISA\u2019s KEV catalog. Exploitation requires an attacker to authenticate as an administrator on a multisite WordPress installation with unfiltered_html disabled and then edit the update_delay_days setting. Because the malicious payload is stored, the compromised script will run whenever any user accesses a page that outputs the stored value."}}}}, "created": "2026-04-21T04:15:26.200688+00:00", "updated": "2026-04-21T04:15:26.200751+00:00", "vendors": []}