CVE-2025-14984
Unknown Unknown - Not Provided
Stored XSS via Unsanitized SVG Upload in Gutenverse Form Plugin

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: Wordfence

Description
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14984
EUVD
EUVD-2026-1580
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jegstudio gutenverse_form to 2.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow attackers with Author-level access or higher to execute arbitrary JavaScript in the browsers of users who view the malicious SVG files. This can lead to session hijacking, defacement, theft of sensitive information, or other malicious actions performed in the context of the victim's browser session.

Executive Summary

The Gutenverse Form plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in all versions up to and including 2.3.2. The plugin adds SVG files to the allowed MIME types without sanitizing the SVG content. This allows authenticated users with Author-level access or higher to upload SVG files containing malicious JavaScript. When these SVG files are viewed, the malicious JavaScript executes in the victim's browser, leading to arbitrary script execution.

Detection Guidance

This vulnerability can be detected by monitoring for SVG file uploads in the Gutenverse Form plugin on your WordPress site, especially from users with Author-level access or higher. Since the vulnerability involves malicious JavaScript embedded in SVG files, you can check uploaded SVG files for suspicious content. Commands to detect such files could include searching the upload directories for SVG files and inspecting their contents. For example, on a Linux server hosting WordPress, you could use: 1) Find SVG files: `find /path/to/wordpress/wp-content/uploads/ -name '*.svg'` 2) Search for script tags or JavaScript in SVG files: `grep -i -r '<script' /path/to/wordpress/wp-content/uploads/*.svg` or `grep -i -r 'javascript:' /path/to/wordpress/wp-content/uploads/*.svg` These commands help identify potentially malicious SVG files uploaded via the vulnerable plugin.

Mitigation Strategies

Immediate mitigation steps include: 1) Update the Gutenverse Form plugin to a version that includes the security fix, which adds SVG upload verification to prevent unsafe SVG files from being uploaded. 2) If an update is not immediately possible, restrict or disable SVG uploads for users with Author-level access or higher. 3) Implement server-side scanning of uploaded SVG files to detect and remove files containing unsafe elements or scripts. 4) Review and remove any suspicious SVG files already uploaded. The plugin's updated code adds a pre-upload filter `verify_svg_upload` that validates SVG files and rejects those containing disallowed or unsafe elements, so applying this update is critical. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart