CVE-2025-1725 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Bit File Manager plugin for WordPress, a free and open-source file manager and code editor. The flaw exists because the plugin fails to properly sanitize and escape SVG file uploads, allowing authenticated users with Subscriber-level privileges or higher to upload SVG files containing embedded malicious JavaScript. These scripts are stored and executed when any user accesses the SVG file, resulting in a stored cross-site scripting (XSS) attack. The vulnerability affects all versions up to 6.7 inclusive. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity compromise but no availability impact. No patches or exploits in the wild are currently reported. This vulnerability leverages the common attack vector of SVG files, which can embed scripts, and exploits insufficient input validation and output encoding in the plugin's file upload and rendering mechanisms. Attackers can leverage this to execute arbitrary scripts in the context of the affected WordPress site, potentially leading to session hijacking, defacement, or further exploitation.

The primary impact of CVE-2025-1725 is the potential for stored cross-site scripting attacks within WordPress sites using the vulnerable Bit File Manager plugin. This can lead to unauthorized script execution in the browsers of site users, compromising confidentiality by stealing session tokens or sensitive data, and integrity by manipulating displayed content or performing unauthorized actions on behalf of users. Although availability is not directly affected, successful exploitation can facilitate further attacks that degrade service. Because the vulnerability requires only Subscriber-level authentication, attackers with minimal privileges can exploit it, increasing risk in environments with multiple user roles. Organizations relying on this plugin risk reputational damage, data breaches, and unauthorized access. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. The widespread use of WordPress globally and the plugin's open-source nature increase the potential attack surface.

To mitigate CVE-2025-1725, organizations should immediately restrict SVG file uploads to trusted users only or disable SVG uploads entirely if not required. Implement server-side validation to reject SVG files containing scripts or disallowed elements, using libraries specialized in sanitizing SVG content. Apply strict Content Security Policy (CSP) headers to limit script execution contexts and reduce XSS impact. Upgrade the Bit File Manager plugin to a patched version once available or consider alternative plugins with secure file upload handling. Monitor user uploads and audit logs for suspicious SVG files or unusual activity. Employ web application firewalls (WAFs) with rules targeting SVG-based XSS attacks. Educate site administrators and users about the risks of uploading untrusted files. Finally, regularly review and harden WordPress user role permissions to minimize the number of users with upload capabilities.