{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14120", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T16:23:50.971Z", "datePublished": "2026-01-06T04:31:56.669Z", "dateUpdated": "2026-04-08T17:04:58.086Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:58.086Z"}, "affected": [{"vendor": "bww", "product": "URL Image Importer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8704320e-9624-4924-92e8-adb61356aecb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L176"}, {"url": "https://plugins.trac.wordpress.org/browser/url-image-importer/tags/1.0.7/url-image-importer.php#L176"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429292%40url-image-importer&new=3429292%40url-image-importer&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sirati Hiranthani"}], "timeline": [{"time": "2025-12-05T16:38:59.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T15:33:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T15:05:19.131906Z", "id": "CVE-2025-14120", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:05:30.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T15:05:19.131906Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:05:23.491Z"}}], "cna": {"title": "URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Sirati Hiranthani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bww", "product": "URL Image Importer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T16:38:59.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T15:33:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8704320e-9624-4924-92e8-adb61356aecb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L176"}, {"url": "https://plugins.trac.wordpress.org/browser/url-image-importer/tags/1.0.7/url-image-importer.php#L176"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429292%40url-image-importer&new=3429292%40url-image-importer&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:58.086Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14120", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:58.086Z", "dateReserved": "2025-12-05T16:23:50.971Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T04:31:56.669Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}, {"lang": "es", "value": "El plugin URL Image Importer para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de cargas de archivos SVG en todas las versiones hasta la 1.0.7, inclusive, debido a una sanitizaci\u00f3n insuficiente de los archivos SVG. Esto hace posible que atacantes autenticados, con acceso de nivel Autor o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda al archivo SVG."}], "id": "CVE-2025-14120", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T05:15:49.430", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/url-image-importer/tags/1.0.7/url-image-importer.php#L176"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L176"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429292%40url-image-importer&new=3429292%40url-image-importer&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8704320e-9624-4924-92e8-adb61356aecb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:51:03.842845+00:00", "value": {"mitigation_remediation": ["Upgrade the URL Image Importer plugin to a version newer than 1.0.7 or uninstall it if an update is not available", "Disable SVG file uploads by adjusting the plugin settings or adding a rule in wp-config.php to block the MIME type image/svg+xml", "Sanitize all uploaded SVG files before rendering, for example by using a library such as DOMPurify or WordPress\u2019 built\u2011in sanitization functions"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via SVG uploads"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed the URL Image Importer plugin version 1.0.7 or earlier is affected. Any environment where the plugin is present can be exploited if an authenticated Author user exists and can upload SVG files.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that allows an attacker with Author\u2011level permissions to upload an SVG file containing malicious scripts; once stored, any user who accesses the file will have the script executed in their browser, potentially compromising credentials, session data, or enabling further attacks. The flaw stems from insufficient sanitization of SVG content during upload, leading to arbitrary JavaScript injection, and corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while an EPSS score of less than 1% shows a very low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Nonetheless, authenticated authors can inject scripts that will run for all users who view the SVG, allowing attackers to steal session information, deface content, or launch further web\u2011based attacks."}}}}, "created": "2026-01-06T14:15:51.427543+00:00", "updated": "2026-04-21T17:00:12.318897+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}