Gutenverse Form < 2.4.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | CVE 2025-14984 | Plugin Vulnerabilities

Description

The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.

Affects Plugins

gutenverse-form

Fixed in 2.4.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/792fa6cb-e55a-4f68-b8a8-9039fb1ff694

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

andrea bocchetti

Verified

No

WPVDB ID

c9b81ba7-2dc1-4d48-a074-43a1f0c0e137

Timeline

Publicly Published

2026-01-07 (about 4 months ago)

Added

2026-01-07 (about 4 months ago)

Last Updated

2026-01-08 (about 4 months ago)

Other

Published

Title

Published

2021-11-22

Title

Blog2Social < 6.8.7 - Reflected Cross-Site Scripting

Published

2024-09-12

Title

Beauty <= 1.1.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via tpl_featured_cat_id Parameter

Published

2025-04-01

Title

Eventbee RSVP Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-27

Title

Product Catalog Simple < 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via show_products Shortcode

Published

2016-02-24

Title

WP Ultimate Exporter 1.0.0 - Reflected Cross-Site Scripting (XSS)