How CVE-2025-2575 Works
The Z Companion plugin for WordPress fails to properly sanitize SVG file uploads, allowing authenticated attackers (Author role or higher) to inject malicious scripts. When an SVG containing JavaScript is uploaded, the plugin does not filter or escape the content. Royal Shop theme must be installed for exploitation. Upon victim access, the embedded script executes in their browser, enabling session hijacking, defacement, or malware delivery.
DailyCVE Form:
Platform: WordPress
Version: ≤1.1.1
Vulnerability: Stored XSS
Severity: Medium
Date: 05/06/2025
What Undercode Say:
Exploitation:
1. Malicious SVG Payload:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
2. Upload via Author Account:
curl -F "[email protected]" -H "Cookie: wordpress_logged_in_[bash]" http://target/wp-admin/admin-ajax.php?action=z_companion_upload
Detection:
1. Check Plugin Version:
SELECT option_value FROM wp_options WHERE option_name = 'z_companion_version';
2. Scan for Suspicious SVGs:
grep -r "onload=" /var/www/html/wp-content/uploads/z-companion/
Mitigation:
1. Patch: Update to Z Companion >1.1.1.
2. WAF Rule (ModSecurity):
SecRule FILES "@rx .svg$" "id:1005,deny,msg:'SVG XSS Attempt'"
3. Disable SVG Uploads (WordPress):
add_filter('upload_mimes', function($mimes) { unset($mimes['svg']); return $mimes; });
4. Restrict Roles:
add_filter('z_companion_upload_cap', function() { return 'manage_options'; });
5. Manual Sanitization:
function sanitize_svg($file) {
$content = file_get_contents($file);
if (preg_match('/script|onload=/i', $content)) { wp_delete_file($file); }
}
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
