CVE-2025-3919

Name of the Vulnerable Software and Affected Versions WordPress Comments Import & Export plugin versions up to 2.4.3

Description The issue arises from a missing capability check on the save settings function and the failure to properly sanitize and escape FTP settings parameters. This allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts on the plugin settings page, which will execute when an administrative user accesses the injected page.

Recommendations For versions up to 2.4.3, update to version 2.4.4 to fully resolve the issue. As a temporary workaround for versions up to 2.4.3, consider restricting access to the plugin settings page to minimize the risk of exploitation.