Description
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-06-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Bit File Manager plugin for WordPress is vulnerable to stored cross‑site scripting through SVG file uploads in all releases up to version 6.7. The flaw stems from insufficient input sanitization and output escaping, enabling authenticated users with Subscriber‑level access or higher to embed malicious JavaScript into an SVG file. When other site visitors open that file, the attacker‑supplied scripts execute in their browsers, potentially allowing the attacker to steal user sessions, deface websites, or redirect users to malicious sites.

Affected Systems

WordPress installations running the Bit File Manager plugin version 6.7 or older are affected. The vulnerability exists in the File Manager component provided by bitpressadmin and affects all environments where the plugin is configured to accept SVG uploads.

Risk and Exploitability

With a CVSS score of 6.4 the issue is considered a moderate‑severity flaw, and the EPSS score of less than 1 % indicates a low probability of active exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker has authenticated access with Subscriber‑level or higher privileges; the attack vector is therefore an authenticated, authenticated‑file‑upload pathway. Once the malicious SVG is uploaded, any subsequent user who opens the file will be exposed to the embedded script.

Generated by OpenCVE AI on April 21, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bit File Manager plugin to a version newer than 6.7 where the SVG upload filtering is fixed
  • If an upgrade is not immediately possible, remove the ability for Subscriber or higher roles to upload SVGs through the plugin, or disable the plugin entirely for these users
  • Restrict the file types that can be uploaded in WordPress by configuring the upload restrictions to exclude SVG files and monitor for any upload attempts that may bypass the plugin’s controls

Generated by OpenCVE AI on April 21, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16714 The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
History

Tue, 03 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Jun 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress <= 6.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Uploads
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:29.307Z

Reserved: 2025-02-26T17:58:14.600Z

Link: CVE-2025-1725

cve-icon Vulnrichment

Updated: 2025-06-03T13:28:37.370Z

cve-icon NVD

Status : Deferred

Published: 2025-06-03T09:15:22.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses