Description
The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-03-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Ayyash Studio plugin for WordPress contains a stored cross‑site scripting flaw where authenticated users with Author-level or higher access can upload SVG files that are not properly sanitized or escaped. Malicious JavaScript can be embedded inside these SVG files, which the plugin stores and then serves to any user who opens the file. The injected script runs in the victim’s browser when the file is viewed, exposing the site to client‑side code execution.

Affected Systems

All installations of the Ayyash Studio – The kick‑start kit plugin for WordPress up to and including version 1.0.3 are affected. The plugin is distributed by themerox and installed on WordPress sites that grant author‑level access for content upload.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently rare. The flaw is not listed in the CISA KEV catalog. Attacking this vulnerability requires an authenticated account with Author or higher privileges, after which an attacker can upload a malicious SVG. Once stored, the payload executes automatically for any user who accesses the file, creating a persistent client‑side attack vector.

Generated by OpenCVE AI on April 22, 2026 at 04:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any newer version of Ayyash Studio that contains the fix if it is available.
  • If no update exists, restrict SVG file uploads for Author and higher roles by disabling the SVG MIME type or using a role‑management plugin to remove upload capability for those roles.
  • Apply server‑side sanitization to SVG uploads, for example by using WordPress’s wp_kses or a similar filtering function to remove script elements before the file is stored.

Generated by OpenCVE AI on April 22, 2026 at 04:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8222 The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
History

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title Ayyash Studio <= 1.0.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:18.044Z

Reserved: 2025-03-20T21:32:28.756Z

Link: CVE-2025-2576

cve-icon Vulnrichment

Updated: 2025-03-26T14:42:43.532Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T03:15:13.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses