CVE-2025-4970 is a stored cross-site scripting vulnerability classified under CWE-79, found in the BSK PDF Manager plugin for WordPress. The flaw exists due to insufficient sanitization and escaping of SVG file uploads, which allows an authenticated attacker with administrator-level privileges to embed arbitrary JavaScript code within SVG files. This malicious code executes whenever any user accesses the infected SVG file, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress environment. The vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope but still posing a significant risk in complex WordPress deployments. The CVSS v3.1 score is 5.5 (medium), reflecting that the attack vector is network-based, requires high privileges (administrator), no user interaction, and impacts confidentiality and integrity with no availability impact. No public exploits have been reported yet, but the vulnerability's presence in a popular plugin used for document management in WordPress sites makes it a notable risk. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

For European organizations, especially those operating multi-site WordPress environments using the BSK PDF Manager plugin, this vulnerability could lead to unauthorized script execution, resulting in data leakage, session hijacking, or unauthorized administrative actions. The impact on confidentiality and integrity could compromise sensitive business information or user data. Since exploitation requires administrator privileges, insider threats or compromised admin accounts pose the greatest risk. The absence of user interaction lowers the barrier for automated exploitation once an attacker gains admin access. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and public sector portals, this vulnerability could disrupt trust and compliance with data protection regulations such as GDPR if exploited. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target plugins with known vulnerabilities. Organizations relying on multi-site WordPress setups are particularly vulnerable, as single-site installations are not affected.

European organizations should immediately audit their WordPress environments to identify installations of the BSK PDF Manager plugin, particularly multi-site setups. Restrict SVG file uploads to trusted users only, or disable SVG uploads entirely if not essential. Implement strict input validation and output escaping for SVG files at the application level. Monitor administrator account activities for unusual behavior to detect potential exploitation attempts. Apply the principle of least privilege by limiting administrator access and ensuring strong authentication mechanisms such as MFA. Regularly update WordPress core and plugins once patches for this vulnerability become available. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious SVG payloads. Conduct security awareness training for administrators about the risks of uploading untrusted files. Finally, maintain regular backups and incident response plans tailored to WordPress environments to minimize impact if exploitation occurs.