CVE-2025-14120
Stored XSS in WordPress URL Image Importer via SVG Uploads
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | url_image_importer | to 1.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress plugin URL Image Importer (versions up to and including 1.0.7). It occurs because the plugin does not sufficiently sanitize SVG file uploads, allowing authenticated users with Author-level access or higher to upload SVG files containing malicious scripts. These scripts are then stored and executed whenever any user accesses the SVG file, potentially compromising the website or user data. [2, 3]
How can this vulnerability impact me? :
The vulnerability can allow attackers with Author-level access or higher to inject arbitrary malicious scripts into SVG files uploaded to the site. These scripts execute in the context of users viewing the SVG files, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions. This compromises the security and integrity of the website and its users. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2025-14120 in the URL Image Importer WordPress plugin, immediately update the plugin to version 1.0.8 or later, which includes a security fix that implements whitelist-based SVG sanitization using the enshrined/svg-sanitize PHP library. This update thoroughly sanitizes SVG uploads by removing dangerous elements, attributes, and URL schemes that could be used for stored XSS attacks. If updating is not immediately possible, restrict SVG file uploads to trusted users only and consider disabling SVG uploads temporarily to prevent exploitation. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves unsafe handling of SVG file uploads in the URL Image Importer WordPress plugin versions up to 1.0.7. Detection can focus on identifying SVG files uploaded via this plugin that contain dangerous elements or attributes such as <script>, <object>, event handlers (e.g., onload, onclick), or dangerous URL schemes like javascript:, data:, or vbscript:. Since the plugin sanitizes SVG files in version 1.0.8 and later, detection involves checking if the plugin version is 1.0.7 or earlier and scanning uploaded SVG files for these unsafe elements or attributes. Commands to detect potentially malicious SVG files could include using grep or XML parsing tools to search for suspicious tags or attributes in the uploads directory. For example, on a Linux system hosting the WordPress site, you might run commands like: 1. `grep -r -i -E '<script|<object|onload=|onclick=|onerror=' wp-content/uploads/*.svg` 2. `find wp-content/uploads/ -name '*.svg' -exec grep -iE 'javascript:|data:|vbscript:' {} +` Additionally, checking the installed plugin version can be done by inspecting the plugin files or via the WordPress admin interface to confirm if the vulnerable version is in use. Note that no specific detection commands are provided in the resources, so these suggestions are based on the nature of the vulnerability and typical file scanning methods. [2, 3]