CVE-2025-13069
BaseFortify
Publication date: 2025-11-18
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | enable_svg_webp_and_ico_upload | 1.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Enable SVG, WebP, and ICO Upload plugin for WordPress up to version 1.1.2. It allows authenticated users with author-level access or higher to upload arbitrary files due to insufficient validation of ICO file types. Specifically, files with double extensions and correct magic bytes can bypass sanitization and be accepted as valid ICO files, potentially enabling remote code execution on the server.
How can this vulnerability impact me? :
An attacker with author-level access or above can exploit this vulnerability to upload arbitrary files to the server hosting the WordPress site. This can lead to remote code execution, allowing the attacker to execute malicious code, compromise the server, steal data, or disrupt the website's operation.