Enable SVG, WebP, and ICO Upload < 1.1.3 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads | CVE 2025-12457 | Plugin Vulnerabilities

Description

The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Affects Plugins

enable-svg-webp-ico-upload

Fixed in 1.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f267a5-012d-4b9a-a59d-9eccb04c557a

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Sornram9254

Verified

No

WPVDB ID

ecbe0a80-e2b0-4656-9986-c0757039b30e

Timeline

Publicly Published

2025-11-17 (about 7 months ago)

Added

2025-11-17 (about 7 months ago)

Last Updated

2025-12-12 (about 6 months ago)

Other

Published

Title

Published

2025-03-14

Title

Portfolio and Projects <= 1.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-09-22

Title

PilotPress <= 2.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2016-10-13

Title

Headway Theme < 3.8.9 - Authenticated Cross-Site Scripting (XSS)

Published

2024-11-08

Title

WP PagSeguro Payments <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-13

Title

AntiSpam for Contact Form 7 < 0.6.1 - Reflected Cross-Site Scripting