CVE-2025-2580 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Contact Form by Bit Form plugin for WordPress, which includes Multi Step Form, Calculation Contact Form, Payment Contact Form, and Custom Contact Form builder functionalities. The vulnerability exists in all versions up to and including 2.18.3 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape SVG file uploads, allowing authenticated users with Author-level access or higher to upload malicious SVG files containing embedded JavaScript. When these SVG files are accessed by any user, the embedded scripts execute in the context of the victim’s browser, potentially leading to session hijacking, privilege escalation, or unauthorized actions on the affected site. The attack complexity is high because it requires authenticated access with specific privileges, and no user interaction is needed once the malicious SVG is accessed. The vulnerability affects confidentiality and integrity but not availability. No patches have been officially released at the time of this report, and no known exploits are currently in the wild. The vulnerability was reserved in March 2025 and published in April 2025, with enrichment by CISA indicating recognition of its significance. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, high complexity, low privileges required, no user interaction, and a scope change due to script execution in other users’ contexts.

The impact of CVE-2025-2580 is primarily on the confidentiality and integrity of affected WordPress sites using the Contact Form by Bit Form plugin. Successful exploitation allows an authenticated user with Author-level privileges or higher to inject persistent malicious scripts via SVG uploads. These scripts execute in the browsers of any users who view the SVG, potentially enabling session hijacking, theft of sensitive information, or unauthorized actions performed with the victim’s privileges. This can lead to account compromise, data leakage, or further site manipulation. Although availability is not directly impacted, the breach of trust and potential data exposure can have severe reputational and operational consequences. Organizations with multiple users having elevated privileges are at higher risk, especially if they allow SVG uploads without restrictions. The medium CVSS score reflects the need for authentication and high attack complexity, limiting the scope but not eliminating risk. Given WordPress’s widespread use globally, many websites, including e-commerce, corporate, and governmental portals, could be affected if they use this plugin and do not apply mitigations.

To mitigate CVE-2025-2580, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, immediate steps include disabling SVG file uploads within the Contact Form by Bit Form plugin or globally on the WordPress site. Implement strict input validation and sanitization on all file uploads, especially SVGs, to remove or neutralize embedded scripts. Limit user roles that have upload permissions to trusted administrators only, reducing the risk of malicious uploads by lower-privileged users. Employ Web Application Firewalls (WAFs) with rules to detect and block malicious SVG payloads or suspicious script patterns. Monitor logs for unusual upload activity or access to SVG files. Educate users with Author-level or higher privileges about the risks of uploading untrusted files. Additionally, consider implementing Content Security Policy (CSP) headers to restrict script execution from untrusted sources. Regularly audit installed plugins and remove unused or outdated ones to reduce the attack surface.