Description
The Z Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. Note: This requires Royal Shop theme to be installed.
Published: 2025-04-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Z Companion plugin for WordPress allows authenticated users with Author privileges or higher to upload SVG files that are not properly sanitized or escaped. An attacker can inject arbitrary JavaScript into the SVG, which will execute whenever a site visitor views the image. This stored XSS can lead to session hijacking, credential theft, defacement, or silent data exfiltration, compromising the confidentiality, integrity, and availability of the site’s visitors.

Affected Systems

This vulnerability affects any WordPress site running Z Companion version 1.1.1 or older, and requires the Royal Shop theme to be installed. The affected product is listed as wpzita:Z Companion under the vendor name wpzita in the WordPress ecosystem.

Risk and Exploitability

The CVSS score for this flaw is 6.4, indicating moderate severity. The EPSS score is below 1 %, suggesting the probability of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack requires only Author-level credentials—which many sites assign to content creators—the attacker needs only legitimate access rights. Once a malicious SVG is uploaded, any visitor who requests the file will be exposed to the injected script, enabling the attacker to gain further foothold or data from unsuspecting users.

Generated by OpenCVE AI on April 20, 2026 at 23:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Z Companion plugin to a version newer than 1.1.1, if available.
  • If an update is not possible, disable SVG file uploads or replace the Royal Shop theme with one that does not allow SVG usage.
  • Restrict the Author role so that users cannot upload files, or enforce stricter file‑type validation via a security plugin.

Generated by OpenCVE AI on April 20, 2026 at 23:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10797 The Z Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. Note: This requires Royal Shop theme to be installed.
History

Tue, 06 May 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wpzita
Wpzita z Companion
CPEs cpe:2.3:a:wpzita:z_companion:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpzita
Wpzita z Companion

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Z Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. Note: This requires Royal Shop theme to be installed.
Title Z Companion <= 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wpzita Z Companion
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:50.346Z

Reserved: 2025-03-20T21:01:02.722Z

Link: CVE-2025-2575

cve-icon Vulnrichment

Updated: 2025-04-11T13:22:31.595Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-11T12:15:15.490

Modified: 2025-05-06T14:10:40.060

Link: CVE-2025-2575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses