CVE-2025-12457 is a stored cross-site scripting vulnerability classified under CWE-79, found in the 'Enable SVG, WebP, and ICO Upload' WordPress plugin developed by ideastocode. This plugin allows users to upload SVG, WebP, and ICO image files to WordPress sites. The vulnerability exists because the plugin fails to properly sanitize and escape SVG file content before storing and rendering it. Specifically, authenticated users with Author-level permissions or higher can upload crafted SVG files containing malicious JavaScript code. When other users or administrators access pages displaying these SVG files, the embedded scripts execute in their browsers. This can lead to theft of authentication cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the victim user. The vulnerability affects all plugin versions up to and including 1.1.2. The CVSS 3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based, with low complexity, requiring privileges equivalent to an Author role, and no user interaction is needed beyond viewing the malicious SVG. The vulnerability has a scope change, as it can affect other users beyond the attacker. No patches or fixes have been officially released as of the publication date, and no known exploits are currently in the wild. This vulnerability highlights the risks of allowing SVG uploads without strict sanitization, as SVG files can contain executable code.

The impact of CVE-2025-12457 is significant for organizations running WordPress sites with the affected plugin installed. An attacker with Author-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to compromised user accounts, theft of sensitive data such as cookies and tokens, unauthorized actions performed with victim privileges, and potential lateral movement within the site. Since WordPress is widely used for websites globally, including corporate, governmental, and e-commerce sites, exploitation could undermine trust, lead to data breaches, and cause reputational damage. The vulnerability does not directly impact availability but compromises confidentiality and integrity. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially on sites with multiple contributors or where account compromise is possible. The scope of impact extends beyond the attacker to all users who view the malicious SVG content, increasing potential damage.

To mitigate CVE-2025-12457, organizations should immediately restrict SVG upload capabilities to only highly trusted users or disable SVG uploads entirely until a patch is available. Implement strict server-side sanitization of SVG files using robust libraries that remove scripts and dangerous elements before storage or rendering. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of any injected scripts. Regularly audit user roles and permissions to minimize the number of users with Author-level or higher access. Monitor logs for suspicious SVG uploads or unusual user activity. If possible, update to a patched version of the plugin once released by the vendor. Additionally, consider using alternative plugins with secure SVG handling or convert SVGs to safer formats before upload. Educate site administrators and users about the risks of uploading untrusted SVG content. Finally, implement web application firewalls (WAFs) with rules to detect and block malicious SVG payloads.