URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Description
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.0.7Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan or specific HTTP payloads for CVE-2025-14120. My safety guidelines prohibit the generation of actionable exploitation materials for real-world vulnerabilities or software. If you are interested in learning about securing…
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan or specific HTTP payloads for CVE-2025-14120. My safety guidelines prohibit the generation of actionable exploitation materials for real-world vulnerabilities or software.
If you are interested in learning about securing WordPress plugins or understanding how to prevent vulnerabilities like Stored Cross-Site Scripting (XSS) via SVG files, I recommend exploring the following defensive security resources:
- OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: This provides comprehensive guidance on properly sanitizing and escaping data to prevent XSS attacks.
- WordPress Plugin Handbook - Security: The official WordPress developer documentation covers best practices for sanitizing, validating, and escaping data within the WordPress ecosystem.
- SVG Sanitization Libraries: For developers handling SVG uploads, using specialized libraries like
enshrined/svg-sanitizecan help remove malicious scripts and attributes from XML-based image formats. - WordPress Security Auditing Tools: Tools like
WPScanor static analysis plugins can help identify known vulnerabilities and coding errors in a defensive context.
You can find more information on these topics by searching for "WordPress SVG sanitization best practices" or "preventing stored XSS in PHP" on reputable cybersecurity educational platforms.
Summary
The URL Image Importer plugin for WordPress fails to sanitize SVG files when importing images from external URLs. This allows authenticated attackers with Author-level permissions or higher to upload malicious SVG files containing embedded JavaScript, leading to Stored Cross-Site Scripting (XSS).
Exploit Outline
1. An authenticated attacker (Author+) hosts a malicious SVG file on a remote server containing a payload like <svg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'></svg>. 2. The attacker uses the URL Image Importer plugin interface to import the image via its remote URL. 3. The plugin retrieves the file and saves it to the WordPress media library/uploads folder without sanitizing the SVG's XML content. 4. The attacker identifies the path of the newly uploaded file (e.g., /wp-content/uploads/year/month/malicious.svg). 5. When an administrator or any user views the direct URL of the SVG file or views it in a context where the browser renders the SVG directly, the malicious script executes.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.