cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forcompanion-auto-update companion-auto-update

Direction: descending
Jun 16, 2026

Companion Auto Update # 4ed0f911f8fcd2b401511da7c4879e693fff1d89

CVE, Research URL

4ed0f911f8fcd2b401511da7c4879e693fff1d89

Home page URL

Security reports for Companion Auto Update

Application

Companion Auto Update

Date
Jun 01, 2017
Research Description
Companion Auto Update [companion-auto-update] < 2.9.4 WordPress Companion Auto Update plugin <=2.9.3 - Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities WordPress Companion Auto Update plugin Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerability. The CSRF occurs when you try to change the plugin’s settings. There's no nonce to validate the request. The XSS vulnerability appears for "Email address" input field, the output is not escaped. Update the plugin.
Affected versions
max 2.9.4.
Status
vulnerable

Companion Auto Update # 7cd2d4dc-1f88-40bb-b32c-c047aeaa7996

CVE, Research URL

7cd2d4dc-1f88-40bb-b32c-c047aeaa7996

Home page URL

Security reports for Companion Auto Update

Application

Companion Auto Update

Date
-
Research Description
Companion Auto Update [companion-auto-update] < 3.3.6 Companion Auto Update &lt;= 3.3.5 - Authenticated SQL Injection The Companion Auto Update WordPress plugin was affected by an Authenticated SQL Injection security vulnerability.
Affected versions
max 3.3.6.
Status
vulnerable

Companion Auto Update # 8f0e42fbcafedfe8c5a1a2e574977b4c09516724

CVE, Research URL

8f0e42fbcafedfe8c5a1a2e574977b4c09516724

Home page URL

Security reports for Companion Auto Update

Application

Companion Auto Update

Date
Jan 14, 2019
Research Description
Companion Auto Update [companion-auto-update] < 3.3.6 Companion Auto Update <= 3.3.5 - Authenticated (Admin+) SQL Injection The Companion Auto Update plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on several existing SQL queries. This makes it possible for authenticated attackers, with administrative privileges and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 3.3.6.
Status
vulnerable
Jul 15, 2025

Companion Auto Update # CVE-2025-4369

CVE, Research URL

CVE-2025-4369

Home page URL

Security reports for Companion Auto Update

Application

Companion Auto Update

Date
Jul 15, 2025
Research Description
The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_delay_days’ parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.9.3.
Status
vulnerable
Jun 07, 2024

Companion Auto Update # CVE-2018-20973

CVE, Research URL

CVE-2018-20973

Home page URL

Security reports for Companion Auto Update

Application

Companion Auto Update

Date
Aug 17, 2019
Research Description
The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.
Affected versions
max 3.2.1.
Status
vulnerable

Companion Auto Update # CVE-2018-20972

CVE, Research URL

CVE-2018-20972

Home page URL

Security reports for Companion Auto Update

Application

Companion Auto Update

Date
Aug 17, 2019
Research Description
The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.
Affected versions
max 3.2.1.
Status
vulnerable