CVE-2025-4970
Stored XSS in BSK PDF Manager Plugin via SVG Uploads
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bsk_pdf_manager | bsk_pdf_manager | * |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you should first verify if the BSK PDF Manager plugin version is 3.7.1 or earlier, as these versions are vulnerable. Check if your WordPress installation is multi-site or if the unfiltered_html setting is disabled, as the vulnerability affects these configurations. Additionally, monitor for SVG file uploads by authenticated users with administrator-level access, especially looking for SVG files that may contain embedded scripts. Since the vulnerability involves stored cross-site scripting via SVG uploads, you can inspect uploaded SVG files for suspicious script tags or JavaScript code. Commands to help detect potentially malicious SVG files could include scanning the upload directories for SVG files containing script elements, for example using grep on the server: `grep -r --include='*.svg' '<script' /path/to/uploads/` or similar. Also, review plugin version via WP-CLI: `wp plugin get bsk-pdf-manager --field=version`. If the version is 3.7.1 or below, the site is vulnerable. Finally, check WordPress settings for unfiltered_html status and multi-site configuration. Note that detection requires administrative access and inspection of file uploads and plugin versions. [1, 3]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the BSK PDF Manager plugin for WordPress. It occurs via SVG file uploads due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access or higher can inject malicious web scripts into pages that execute whenever a user accesses the uploaded SVG file. This affects multi-site WordPress installations and installations where the unfiltered_html setting is disabled.
How can this vulnerability impact me? :
The vulnerability allows attackers with high-level access to inject arbitrary scripts that execute in users' browsers when they view the SVG files. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected site. Since it requires Administrator-level access, the risk is limited to compromised or malicious administrators, but the impact can be significant in multi-site environments.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the BSK PDF Manager plugin to a version later than 3.7.1 if available. If an update is not available, restrict Administrator-level access to trusted users only, ensure that unfiltered_html is enabled if possible, and avoid using multi-site installations until a patch is applied. Additionally, review and sanitize any uploaded SVG files to prevent malicious scripts from executing.