CVE-2025-14120 is a stored cross-site scripting (XSS) vulnerability identified in the URL Image Importer plugin for WordPress, specifically affecting all versions up to and including 1.0.7. The root cause is insufficient sanitization of SVG files uploaded via the plugin, which allows authenticated users with Author-level access or higher to embed arbitrary JavaScript code within SVG images. When these SVG files are later rendered on web pages, the malicious scripts execute in the context of the victim's browser, potentially leading to session hijacking, data theft, or unauthorized actions within the affected WordPress site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (Author or above), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially compromised component. Although no public exploits are currently known, the vulnerability poses a significant risk due to the common use of SVG images and the widespread deployment of WordPress and its plugins. The vulnerability was published on January 6, 2026, and was reserved in December 2025. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability could lead to unauthorized script execution on their WordPress-powered websites, potentially compromising the confidentiality and integrity of user data. Attackers could hijack user sessions, deface websites, or conduct phishing attacks by injecting malicious scripts. This is particularly concerning for organizations handling sensitive customer information or providing critical services online. The requirement for Author-level access means that insider threats or compromised accounts with elevated privileges could exploit this vulnerability to escalate attacks. Given the popularity of WordPress in Europe, especially among SMEs and public sector entities, exploitation could disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed. The scope change in the CVSS vector indicates that the impact extends beyond the immediate component, potentially affecting other parts of the web application or user interactions.

1. Immediately restrict Author-level and higher privileges to trusted users only, and review existing user roles for unnecessary elevated access. 2. Disable SVG file uploads temporarily until a patch or update is available. 3. Implement server-side sanitization of SVG files using robust libraries that remove scripts and potentially dangerous elements before upload acceptance. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the impact of any injected scripts. 5. Monitor web server and application logs for unusual activity related to SVG file uploads and access. 6. Educate content authors and administrators about the risks of uploading untrusted SVG files. 7. Once a patch is released by the plugin vendor, apply it promptly and verify the fix. 8. Consider using Web Application Firewalls (WAF) with rules to detect and block malicious SVG payloads. 9. Regularly audit WordPress plugins and themes for vulnerabilities and maintain an updated inventory of installed components.