Description
The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-04-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via SVG file uploads
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated attacker with author or higher privileges to upload an SVG file that contains malicious script. When a user later views that SVG on the website, the injected script runs in the visitor’s browser, giving the attacker potential to hijack sessions, steal credentials, deface the site, or perform other client‑side attacks. The flaw arises from insufficient input sanitization and output escaping, resulting in stored cross‑site scripting that is delivered to all users who view the file.

Affected Systems

WordPress sites running the AI Content Pipelines plugin 1.6 or earlier, which is managed by Adamwillhoeft and distributed as the Content Engine + Analytics add‑on. All supported WordPress versions that can host this plugin are affected, with no sub‑version details beyond the 1.6 cutoff.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is listed as < 1 %, suggesting a low probability of real‑world exploitation at this time. The flaw is not cataloged in CISA’s KEV list. Attackers would need author‑level authentication on the site and then upload an SVG file through the plugin’s interface; the stored script is later delivered to all users who view the file, typically via a normal page request. Pre‑conditions include user authentication and the plugin’s upload feature being enabled.

Generated by OpenCVE AI on April 21, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AI Content Pipelines to the newest available version that eliminates the vulnerable file handling logic.
  • If updating is not immediately possible, block uploading of SVG files entirely by disabling the SVG mime type in WordPress or using a security plugin that filters uploads.
  • Enforce a strong Content‑Security‑Policy that disallows inline scripts and restricts the sources of scripts to trusted origins.

Generated by OpenCVE AI on April 21, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10020 The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
History

Mon, 07 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 05 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
Title AI Content Pipelines <= 1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Sat, 05 Apr 2025 03:00:00 +0000

Type Values Removed Values Added
Description The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:57.355Z

Reserved: 2025-03-20T00:07:28.844Z

Link: CVE-2025-2544

cve-icon Vulnrichment

Updated: 2025-04-07T13:04:16.993Z

cve-icon NVD

Status : Deferred

Published: 2025-04-05T02:15:15.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses