CVE-2025-14120

URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.0.8
Patched in
1d
Time to patch

Description

The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.7
PublishedJanuary 5, 2026
Last updatedJanuary 6, 2026
Affected pluginurl-image-importer

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or specific HTTP payloads for CVE-2025-14120. My safety guidelines prohibit the generation of actionable exploitation materials for real-world vulnerabilities or software. If you are interested in learning about securing…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or specific HTTP payloads for CVE-2025-14120. My safety guidelines prohibit the generation of actionable exploitation materials for real-world vulnerabilities or software.

If you are interested in learning about securing WordPress plugins or understanding how to prevent vulnerabilities like Stored Cross-Site Scripting (XSS) via SVG files, I recommend exploring the following defensive security resources:

  1. OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: This provides comprehensive guidance on properly sanitizing and escaping data to prevent XSS attacks.
  2. WordPress Plugin Handbook - Security: The official WordPress developer documentation covers best practices for sanitizing, validating, and escaping data within the WordPress ecosystem.
  3. SVG Sanitization Libraries: For developers handling SVG uploads, using specialized libraries like enshrined/svg-sanitize can help remove malicious scripts and attributes from XML-based image formats.
  4. WordPress Security Auditing Tools: Tools like WPScan or static analysis plugins can help identify known vulnerabilities and coding errors in a defensive context.

You can find more information on these topics by searching for "WordPress SVG sanitization best practices" or "preventing stored XSS in PHP" on reputable cybersecurity educational platforms.

Research Findings
Static analysis — not yet PoC-verified

Summary

The URL Image Importer plugin for WordPress fails to sanitize SVG files when importing images from external URLs. This allows authenticated attackers with Author-level permissions or higher to upload malicious SVG files containing embedded JavaScript, leading to Stored Cross-Site Scripting (XSS).

Exploit Outline

1. An authenticated attacker (Author+) hosts a malicious SVG file on a remote server containing a payload like <svg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'></svg>. 2. The attacker uses the URL Image Importer plugin interface to import the image via its remote URL. 3. The plugin retrieves the file and saves it to the WordPress media library/uploads folder without sanitizing the SVG's XML content. 4. The attacker identifies the path of the newly uploaded file (e.g., /wp-content/uploads/year/month/malicious.svg). 5. When an administrator or any user views the direct URL of the SVG file or views it in a context where the browser renders the SVG directly, the malicious script executes.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.