WordPress Plugin Vulnerabilities

BSK PDF Manager < 3.7.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload

Description

The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
bsk-pdf-manager
Fixed in 3.7.2

References

CVE
CVE-2025-4970
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cf1983b-4cb7-4738-9f19-2c530a9939e0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
rajanhoyr
Verified
No
WPVDB ID
00f9a0a7-ea4a-4bdb-9fea-ca16acb6a758

Timeline

Publicly Published
2025-12-11 (about 6 months ago)
Added
2025-12-11 (about 6 months ago)
Last Updated
2025-12-12 (about 6 months ago)

Other

Published
Title
Published
2016-08-08
Title
Advanced Custom Fields: Table Field <= 1.1.12 - Stored Cross-Site Scripting (XSS)
Published
2025-01-24
Title
PDF Invoices for WooCommerce + Drag and Drop Template Builder < 4.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-12-12
Title
Enter Addons < 2.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets
Published
2023-01-30
Title
WP Email Capture < 3.10 - Admin+ Stored XSS
Published
2024-12-19
Title
PKT1 Centro de envios < 1.2.2 - Reflected Cross-Site Scripting