Description
The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-11-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via SVG uploads
Action: Patch
AI Analysis

Impact

The Enable SVG, WebP, and ICO Upload WordPress plugin contains a stored cross‑site scripting flaw that arises from insufficient sanitization of SVG file uploads. Authenticated users with Author privileges or higher can embed malicious scripts into an SVG file, and the script will run in the browsers of any visitor who opens the SVG. This enables attackers to execute arbitrary code in the context of site visitors, potentially leading to session hijacking, credential theft, or defacement of site content.

Affected Systems

All WordPress sites that have installed versions of the Enable SVG, WebP, and ICO Upload plugin up to and including 1.1.2 are affected. Any site using this plugin in that version range and that permits Author‑level users to upload SVG files is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1 %, suggesting a low likelihood of exploitation so far. It is not listed in the CISA KEV catalog. Exploitation requires only an existing Author‑level account and the ability to upload a crafted SVG file, making the attack fairly straightforward once the plugin is present and the user can upload files.

Generated by OpenCVE AI on April 21, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Enable SVG, WebP, and ICO Upload plugin to version 1.1.3 or newer where the input sanitization bug has been fixed.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to block further SVG uploads, or configure upload restrictions so that only trusted administrators can upload media.
  • Search the media library for previously uploaded SVG files, remove any that appear malicious, and review recent upload logs for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ideastocode
Ideastocode enable Svg, Webp & Ico Upload
Wordpress
Wordpress wordpress
Vendors & Products Ideastocode
Ideastocode enable Svg, Webp & Ico Upload
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ideastocode Enable Svg, Webp & Ico Upload
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:14.186Z

Reserved: 2025-10-28T23:04:21.568Z

Link: CVE-2025-12457

cve-icon Vulnrichment

Updated: 2025-11-18T21:11:20.863Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T10:15:47.703

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses