CVE-2025-12163 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Omnipress plugin for WordPress, affecting all versions up to 1.6.3. The core issue arises from insufficient sanitization and output escaping of SVG file uploads, which allows authenticated users with Author-level permissions or higher to upload SVG files containing embedded malicious JavaScript. When these SVG files are accessed by any user, the embedded scripts execute, resulting in stored cross-site scripting (XSS). This type of XSS is particularly dangerous because the malicious payload is stored persistently on the server and triggers automatically upon file access, potentially affecting any visitor or administrator viewing the SVG content. The vulnerability requires authentication at the Author level, which is a moderately privileged role in WordPress, but does not require further user interaction beyond accessing the malicious SVG. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with attack vector being network-based, low attack complexity, and privileges required at a low level. The scope is changed, as the vulnerability can affect other components or users beyond the initial compromised account. Confidentiality and integrity impacts are low but notable, while availability is unaffected. No known exploits have been reported in the wild as of the publication date. The vulnerability is significant for websites using Omnipress, especially those that allow multiple authors or contributors to upload media content, as it can lead to session hijacking, defacement, or unauthorized actions via script execution.

For European organizations, particularly those operating WordPress sites with the Omnipress plugin, this vulnerability can lead to unauthorized script execution affecting site visitors and administrators. The stored XSS can be leveraged to steal session cookies, perform actions on behalf of users, or inject malicious content, compromising confidentiality and integrity of data. Organizations in sectors such as media, publishing, education, and government that rely on WordPress for content management are at increased risk. The impact includes potential data breaches, reputational damage, and regulatory non-compliance under GDPR if personal data is exposed. Since the vulnerability requires Author-level access, insider threats or compromised contributor accounts pose a significant risk. The lack of user interaction for exploitation increases the likelihood of successful attacks once an attacker gains the necessary privileges. Although availability is not directly impacted, the indirect effects of compromise may disrupt operations or require costly incident response.

European organizations should implement the following specific mitigations: 1) Immediately restrict SVG file uploads to trusted users only or disable SVG uploads entirely if not required. 2) Apply strict server-side validation and sanitization of SVG files to remove or neutralize embedded scripts before allowing uploads. 3) Implement robust output escaping mechanisms when rendering SVG content to prevent script execution in browsers. 4) Upgrade the Omnipress plugin to a patched version once available or apply vendor-provided patches promptly. 5) Enforce the principle of least privilege by reviewing and limiting Author-level access to trusted personnel only. 6) Monitor upload logs and user activities for suspicious SVG uploads or anomalous behavior. 7) Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate impact of XSS. 8) Conduct regular security audits and penetration testing focused on file upload functionalities. 9) Educate content contributors about the risks of uploading untrusted files. These targeted actions go beyond generic advice and address the specific attack vector and exploitation conditions of this vulnerability.