CVE-2025-14120 is a stored Cross-Site Scripting (XSS) vulnerability identified in the URL Image Importer plugin for WordPress, affecting all versions up to and including 1.0.7. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization of SVG files uploaded through the plugin. Authenticated attackers with Author-level access or higher can exploit this vulnerability by uploading crafted SVG files containing malicious JavaScript code. When any user accesses a page displaying the malicious SVG, the embedded script executes in the context of the victim's browser, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS 3.1 base score of 6.4, with an attack vector of network (remote), low attack complexity, privileges required at the Author level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's functionality. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce exposure. This vulnerability highlights the risks associated with accepting and rendering SVG files without proper sanitization, as SVGs can contain embedded scripts unlike other image formats.

The impact of CVE-2025-14120 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows an attacker with Author-level access to inject persistent malicious scripts that execute in the browsers of any user viewing the infected SVG file. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or manipulation of site content. Since the attack requires authenticated access at the Author level, sites with multiple contributors or less restrictive role assignments are at higher risk. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially compromising the entire WordPress site. Although availability impact is rated low, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin for image import functionality face increased risk of targeted attacks, especially if they do not promptly apply mitigations. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once exploit code becomes available.

To mitigate CVE-2025-14120, organizations should take the following specific actions: 1) Immediately restrict SVG file uploads to trusted users only, or disable SVG uploads entirely if not essential. 2) Implement strict role-based access controls to limit Author-level and higher privileges to trusted personnel only. 3) Use web application firewalls (WAFs) with rules designed to detect and block malicious SVG payloads or suspicious script activity embedded in SVG files. 4) Sanitize all SVG files before upload using specialized libraries that remove scripts and potentially harmful elements, such as SVG sanitizers like 'SVG Sanitizer' or 'DOMPurify' configured for server-side use. 5) Monitor logs for unusual upload activity or access patterns to SVG files. 6) Keep WordPress core and all plugins updated; watch for official patches or updates from the bww URL Image Importer plugin vendor and apply them promptly once available. 7) Educate content authors about the risks of uploading untrusted SVG files and enforce security policies around content uploads. 8) Consider implementing Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of any injected scripts. These targeted mitigations go beyond generic advice by focusing on controlling SVG upload vectors, enforcing strict access controls, and sanitizing inputs at multiple layers.