WordPress: Authenticated XSS Vulnerability in WordPress Comments Import & Export Plugin

In the WordPress Comments Import & Export plugin for WordPress, all versions up to and including 2.4.3 a medium severity vulnerability CVE-2025-3919 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts via the plugin settings page due to a missing capability check on the save_settings function and improper sanitization of FTP settings parameters. The injected scripts execute whenever an administrative user accesses the affected page. To address this issue, users should upgrade the plugin to version 2.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3919.