CVE-2025-9487
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: WPScan

Description
The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9487
EUVD
EUVD-2025-30407
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress admin_and_site_enhancements *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow authenticated users with upload permissions to execute arbitrary JavaScript in the context of the affected website by uploading malicious SVG files. This can lead to Cross-Site Scripting attacks, which may result in session hijacking, defacement, data theft, or other malicious actions performed on behalf of users who access the malicious SVG files. [1]

Executive Summary

CVE-2025-9487 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin 'Admin and Site Enhancements' versions before 7.9.8. It occurs because the plugin does not sanitize SVG files uploaded via the xmlrpc.php endpoint when SVG uploads are enabled. This allows authenticated users with upload permissions to upload malicious SVG files containing embedded JavaScript payloads. When these SVG files are accessed, the malicious JavaScript executes, potentially compromising the site or user data. [1]

Detection Guidance

This vulnerability can be detected by checking if the Admin and Site Enhancements WordPress plugin version is prior to 7.9.8 and if the SVG upload setting is enabled. Additionally, monitoring for POST requests to xmlrpc.php that include base64-encoded SVG files with embedded <script> tags can help identify exploitation attempts. Using tools like Burp Suite to intercept and analyze xmlrpc.php requests can assist in detection. A command example to check plugin version via WP-CLI is: `wp plugin get admin-and-site-enhancements --field=version`. Network monitoring can include searching for POST requests to xmlrpc.php containing SVG uploads. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Admin and Site Enhancements WordPress plugin to version 7.9.8 or later, which contains the fix for this vulnerability. If updating is not immediately possible, disable the SVG upload feature in the plugin settings and restrict upload permissions to trusted users only. Additionally, monitor and block suspicious POST requests to xmlrpc.php that attempt to upload SVG files. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart