CVE-2025-12163 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Omnipress plugin for WordPress, specifically versions up to 1.6.3. The core issue arises from the plugin's failure to properly sanitize and escape SVG file uploads, allowing authenticated users with Author-level privileges or higher to upload SVG files containing embedded malicious JavaScript. These scripts are stored and executed whenever any user accesses the SVG file, resulting in a stored cross-site scripting (XSS) attack. The vulnerability leverages the SVG format's capability to embed scripts, which, if unchecked, can compromise the confidentiality and integrity of the affected website and its users. The attack vector is network-based, requiring only authenticated access but no further user interaction, and it can affect multiple users who view the malicious SVG content. The vulnerability's CVSS 3.1 score is 6.4, indicating a medium severity level due to the combination of privileges required and the impact scope. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks associated with insufficient input validation and output escaping in web applications that allow file uploads, especially for file types capable of embedding executable code like SVGs.

The vulnerability can lead to stored XSS attacks, allowing attackers to execute arbitrary scripts in the context of the vulnerable website. This can result in session hijacking, defacement, unauthorized actions on behalf of users, and potential data theft. Since the attack requires Author-level access, it assumes some level of trust or compromise of user credentials, but once exploited, it can affect any user who views the malicious SVG file, including administrators. The integrity and confidentiality of the website and its users are at risk, potentially damaging organizational reputation and user trust. Although availability is not directly impacted, the indirect effects of XSS can lead to further exploitation or disruption. Organizations relying on Omnipress for content management on WordPress sites are particularly vulnerable, especially if they have multiple users with Author or higher privileges. The lack of known exploits in the wild suggests limited current active exploitation, but the vulnerability remains a significant risk if weaponized.

Organizations should immediately review user privileges and restrict Author-level access to trusted personnel only. Implement strict input validation and sanitization for SVG uploads, or disable SVG uploads entirely if not required. Employ Content Security Policy (CSP) headers to mitigate the impact of XSS by restricting script execution sources. Monitor and audit file uploads for suspicious content and consider using security plugins that scan for malicious files. Update the Omnipress plugin as soon as an official patch is released. In the interim, consider applying manual code fixes to sanitize SVG inputs or use third-party libraries that safely handle SVG files. Educate users about the risks of uploading untrusted files and enforce multi-factor authentication to reduce the risk of compromised accounts. Regularly review logs for unusual activity related to file uploads and access patterns. Finally, conduct penetration testing focused on file upload functionalities to identify and remediate similar vulnerabilities proactively.