The BSK PDF Manager plugin for WordPress suffers from a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation. Specifically, SVG file uploads are not adequately sanitized or escaped, enabling authenticated users with administrator privileges to embed arbitrary scripts. These scripts execute when other users access the SVG files, potentially compromising user sessions or data. This issue affects all versions up to and including 3.7.1 and is limited to multi-site environments or installations where the unfiltered_html capability is disabled. The vulnerability has a CVSS 3.1 base score of 5.5, reflecting a medium impact with network attack vector, low attack complexity, and high privileges required.

An authenticated attacker with administrator-level access can inject malicious scripts via SVG file uploads that execute in the context of users viewing those files. This can lead to limited confidentiality and integrity impacts, such as session hijacking or unauthorized actions performed by users. The vulnerability does not affect availability and requires high privileges, limiting the attack surface. It specifically affects multi-site WordPress setups or those with unfiltered_html disabled, reducing the scope of vulnerable environments.

No official patch or fix is currently documented for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a fix is available, restrict administrator access to trusted users only and consider disabling SVG uploads or limiting file types accepted by the plugin. Review and adjust WordPress multi-site configurations and unfiltered_html settings to minimize exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.