Description
The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.3. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Upload
Action: Immediate Patch
AI Analysis

Impact

The Enable SVG, WebP, and ICO Upload plugin allows an attacker who has author‑level (or higher) permissions to upload files with double extensions that conceal malicious payloads. The plugin's file type validation accepts ICO files after checking only the magic bytes, which means a file such as "upload.php.jpg" or "image.png.svg" can be uploads as an ICO. Once stored on the server, an attacker can place executable scripts or web shells that may be accessed and run, resulting in full remote code execution on the WordPress site. This weakness is a classic example of unvalidated file upload (CWE‑434).

Affected Systems

The issue exists in the WordPress plugin Enable SVG, WebP, and ICO Upload, produced by the vendor ideastocode. All versions of the plugin up to and including 1.1.3 are affected; version 1.1.4 and later contain the fix.

Risk and Exploitability

The vulnerability scored a CVSS of 8.8, indicating high severity. The EPSS score is below 1%, showing a very low likelihood of exploitation at the time of analysis. The plugin is not listed in the CISA KEV catalog. Although the risk is high if an attacker gains author‑level access or higher, the probability of exploitation remains low at present. Successful exploitation requires authenticated access and the ability to upload files, making the threat vector likely an insider or attacker who has compromised credentials.

Generated by OpenCVE AI on April 21, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Enable SVG, WebP, and ICO Upload plugin to version 1.1.4 or later, which includes proper file type validation.
  • If the plugin must remain in use, consider restricting author and higher roles or removing unnecessary user roles to limit upload privileges.
  • Disable the plugin entirely until the patch is applied, either by uninstalling it or setting it to inactive via the WordPress admin interface.

Generated by OpenCVE AI on April 21, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.2. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.3. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass Enable SVG, WebP, and ICO Upload <= 1.1.3 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass
References

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ideastocode
Ideastocode enable Svg, Webp & Ico Upload
Wordpress
Wordpress wordpress
Vendors & Products Ideastocode
Ideastocode enable Svg, Webp & Ico Upload
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.2. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ideastocode Enable Svg, Webp & Ico Upload
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:17.983Z

Reserved: 2025-11-12T14:06:35.865Z

Link: CVE-2025-13069

cve-icon Vulnrichment

Updated: 2025-11-18T21:10:40.283Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T10:15:49.203

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses