CVE-2025-12163 is a stored cross-site scripting (XSS) vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Omnipress plugin for WordPress. This vulnerability arises because the plugin fails to properly sanitize and escape SVG file uploads, allowing authenticated users with Author-level permissions or higher to upload SVG files containing embedded malicious JavaScript. When other users or administrators access pages displaying these SVG files, the embedded scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The attack vector is remote and network-based, requiring only authenticated access but no further user interaction. The vulnerability affects all versions of Omnipress up to 1.6.3, with no patches currently available. The CVSS 3.1 score of 6.4 reflects a medium severity, considering the ease of exploitation (low complexity), requirement for privileges (Author-level), and the impact on confidentiality and integrity but no impact on availability. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple authors or contributors. The stored nature of the XSS makes it persistent and potentially more damaging than reflected XSS. Attackers could leverage this to steal cookies, perform actions on behalf of users, or spread malware within the site environment.

For European organizations, this vulnerability could lead to unauthorized access to sensitive information, session hijacking, and potential defacement or manipulation of website content. Since WordPress is widely used across Europe for corporate, governmental, and media websites, exploitation could undermine trust and cause reputational damage. The requirement for Author-level access limits the initial attack surface to insiders or compromised accounts, but once exploited, the impact can extend to all users visiting the affected pages. Confidentiality and integrity of user data and site content are at risk, which could lead to data breaches or compliance violations under GDPR. The absence of availability impact means service disruption is unlikely, but the persistent nature of the XSS could facilitate long-term unauthorized access or data exfiltration. Organizations relying on Omnipress for publishing or content management should consider the risk of lateral movement if attackers escalate privileges after initial exploitation.

European organizations should immediately audit user roles and permissions in WordPress to ensure that only trusted users have Author-level or higher access. Restrict SVG file uploads or disable them entirely if not required. Implement strict input validation and sanitization on file uploads, especially for SVGs, using security-focused plugins or custom filters that remove scripts from SVG content. Monitor and review uploaded files regularly for suspicious content. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Keep WordPress core and all plugins updated, and watch for official patches from Omnipress developers. Consider deploying Web Application Firewalls (WAFs) that can detect and block XSS payloads. Educate content authors about the risks of uploading untrusted files and enforce multi-factor authentication to reduce account compromise risk. Finally, prepare incident response plans to quickly address any detected exploitation attempts.