CVE-2025-4970 - Vulnerability Details

- BSK PDF Manager <= 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload

Description

The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Published: 2025-12-12

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The BSK PDF Manager plugin in WordPress is vulnerable to stored XSS through SVG file uploads in versions up to 3.7.1. Insufficient sanitization of SVG content allows an Administrator or higher to embed malicious scripts that run for any user who opens the file. This flaw can lead to session hijacking, credential theft, or defacement when the script executes, affecting confidentiality, integrity, and availability of the site.

Affected Systems

WordPress sites running the BSK PDF Manager plugin version 3.7.1 or earlier on a multisite network, where the unfiltered_html option is disabled. Administrators with upload permissions can exploit the flaw; all users who view the SVG files are impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of <1% signals low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access at the Administrator level and the ability to upload an SVG file. An attacker must do so in a multisite environment with unfiltered_html turned off and then lure other users to view the injected file for the scripts to run.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bannersky

BSK PDF Manager

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.7.1

No data.

Vendor	Product	Confidence	Versions
Bannersky	Bsk Pdf Manager	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the BSK PDF Manager plugin to a version newer than 3.7.1
Disable SVG uploads for non‑Administrator roles or block the SVG file type entirely
If upgrading is not immediately possible, restrict unfiltered_html to trusted site users or apply a security plugin that sanitizes SVG content

Generated by OpenCVE AI on April 21, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405989%40bsk-pdf-manager&new=3405989%40bsk-pdf-manager&sfp_email=&sfph_mail=
https://wordpress.org/plugins/bsk-pdf-manager/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cf1983b-4cb7-4738-9f19-2c530a9939e0?source=cve

History

Sun, 14 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bannersky Bannersky bsk Pdf Manager Wordpress Wordpress wordpress
Vendors & Products		Bannersky Bannersky bsk Pdf Manager Wordpress Wordpress wordpress

Fri, 12 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Dec 2025 07:30:00 +0000

Type	Values Removed	Values Added
Description		The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title		BSK PDF Manager <= 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405989%40bsk-pdf-manager&new=3405989%40bsk-pdf-manager&sfp_email=&sfph_mail= https://wordpress.org/plugins/bsk-pdf-manager/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/3cf1983b-4cb7-4738-9f19-2c530a9939e0?source=cve
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Bannersky Bsk Pdf Manager

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-12T07:20:34.421Z

Updated: 2026-04-08T16:47:36.735Z

Reserved: 2025-05-19T22:06:06.068Z

Link: CVE-2025-4970

Vulnrichment

Updated: 2025-12-12T20:34:45.328Z

NVD

Status : Deferred

Published: 2025-12-12T08:15:48.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4970

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object