Z Companion
Moderate fix1 remedy
cpe:2.3:a:wpzita:z_companion:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.1.1
Z Companion WordPress Plugin Stored Cross-Site Scripting Vulnerability via SVG Upload
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Z Companion plugin for WordPress, affecting all versions through 1.1.1. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Author-level access or higher to inject arbitrary scripts into pages. These scripts execute when a user accesses the uploaded SVG file. This vulnerability requires the Royal Shop theme to be active.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the SVG file.
Reproduction
To reproduce this vulnerability, an authenticated user with Author-level access or higher can upload an SVG file through the WordPress media uploader. The Z Companion plugin must be active, and the Royal Shop theme should be installed. After uploading, the injected script will execute when the SVG file is accessed.
Remediation
Users are advised to update the Z Companion plugin to version 1.1.2 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
1.7exploitability
6.2remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.