CVE-2025-12451 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Easy SVG Support plugin for WordPress, maintained by benjamin_zekavica. The vulnerability affects all versions up to and including 4.0. It stems from improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of SVG file uploads. Authenticated users with Author-level access or higher can upload SVG files containing malicious JavaScript payloads. When these SVG files are rendered on pages visited by other users, the embedded scripts execute in their browsers, potentially compromising session tokens, stealing cookies, or performing actions on behalf of the victim. The vulnerability requires no user interaction beyond accessing the page with the malicious SVG, and no elevated privileges beyond Author-level are needed to exploit it. The CVSS v3.1 score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required for exploitation, but requiring user interaction (viewing the page). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Although no public exploits are currently known, the vulnerability poses a significant risk due to the popularity of WordPress and the plugin's use for SVG content management. The lack of available patches at the time of reporting increases exposure. The vulnerability highlights the risks of allowing SVG uploads without rigorous sanitization, as SVG files can contain embedded scripts unlike other image formats.

For European organizations, this vulnerability can lead to unauthorized script execution within the context of affected websites, resulting in session hijacking, defacement, phishing, or distribution of malware. Organizations relying on WordPress sites with the Easy SVG Support plugin are at risk of compromised user accounts and data leakage, especially if users with Author-level access can upload SVGs. This can undermine trust in corporate websites, disrupt business operations, and potentially lead to regulatory non-compliance under GDPR if personal data is exposed. The impact is heightened for sectors with high web presence such as media, e-commerce, education, and government. Additionally, the vulnerability could be leveraged as a foothold for further attacks within an organization's network. The medium severity score indicates moderate risk, but the ease of exploitation by authenticated users and the potential for widespread impact on website visitors make it a significant concern.

European organizations should immediately audit their WordPress installations for the presence of the Easy SVG Support plugin and verify the version in use. Until patches are available, restrict SVG uploads to trusted users only, ideally limiting upload permissions to administrators. Implement server-side validation and sanitization of SVG files using specialized libraries that remove scripts and dangerous elements. Employ Content Security Policy (CSP) headers to restrict script execution from untrusted sources. Monitor web server logs and user activity for unusual upload patterns or access to SVG files. Educate content authors about the risks of uploading untrusted SVG content. Consider disabling SVG support entirely if not essential. Regularly update WordPress and plugins to the latest versions once patches addressing this vulnerability are released. Use web application firewalls (WAFs) with rules targeting XSS payloads in SVG files to provide an additional layer of defense.