CVE-2025-2575

Name of the Vulnerable Software and Affected Versions: Z Companion plugin for WordPress versions up to and including 1.1.1

Description: The issue allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts in pages that will execute when a user accesses an uploaded SVG file, due to insufficient input sanitization and output escaping. This requires the Royal Shop theme to be installed.

Recommendations: For Z Companion plugin for WordPress versions up to and including 1.1.1, update to a version higher than 1.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the SVG file upload feature until a patch is available.