CVE-2025-4970 is a stored cross-site scripting vulnerability identified in the bannersky BSK PDF Manager plugin for WordPress, affecting all versions up to and including 3.7.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically related to SVG file uploads. The plugin fails to adequately sanitize and escape SVG content, enabling authenticated attackers with Administrator-level privileges or higher to embed arbitrary JavaScript code within SVG files. When these SVG files are accessed by users, the malicious scripts execute in their browsers, potentially compromising session tokens, user credentials, or enabling further attacks such as privilege escalation or lateral movement. Notably, this vulnerability only affects WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, limiting the scope but still posing a significant risk in those environments. The CVSS 3.1 base score of 5.5 reflects a medium severity, with network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change due to affecting other components beyond the vulnerable plugin. No public exploits have been reported yet, but the presence of this vulnerability in a widely used plugin necessitates prompt attention. The lack of available patches at the time of disclosure further increases the urgency for mitigation through configuration changes or temporary restrictions.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks that can compromise the confidentiality and integrity of user data within affected WordPress sites. Attackers with Administrator privileges can inject malicious scripts that execute in the context of any user accessing the SVG files, potentially leading to session hijacking, theft of sensitive information, or execution of unauthorized actions on behalf of users. Although availability is not directly impacted, the breach of trust and data integrity can disrupt organizational operations and damage reputation. The requirement for high privileges limits exploitation to insiders or compromised administrator accounts, but in multi-site environments, the scope of affected users and sites can be broad, amplifying the risk. Organizations relying on the BSK PDF Manager plugin in multi-site WordPress setups or with unfiltered_html disabled should consider this a serious threat to their web infrastructure security.

To mitigate CVE-2025-4970, organizations should first verify if they operate WordPress multi-site installations or have unfiltered_html disabled and use the BSK PDF Manager plugin version 3.7.1 or earlier. Immediate mitigation steps include restricting SVG file uploads to trusted users only or disabling SVG uploads entirely until a patch is available. Administrators should audit existing SVG files for suspicious content and remove any untrusted files. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious SVG payloads can provide additional protection. Monitoring administrator account activity for unusual behavior is recommended to detect potential exploitation attempts. Once the vendor releases a patch, prompt updating of the plugin is critical. Additionally, consider enabling Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of any injected scripts. Regular backups and incident response plans should be updated to address potential exploitation scenarios.