{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2513", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-18T23:20:23.514Z", "datePublished": "2025-04-02T09:21:43.968Z", "dateUpdated": "2026-04-08T17:03:21.630Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:21.630Z"}, "affected": [{"vendor": "smartpixels", "product": "Smart Icons For WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smart Icons For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "Smart Icons For WordPress <= 1.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5d8eac-fca9-4222-9a5f-a12748d298ec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartifw/tags/1.0.4/includes/media.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/smartifw/tags/1.0.4/smart_icons_for_wordpress.php#L86"}, {"url": "https://wordpress.org/plugins/smartifw/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "timeline": [{"time": "2025-04-01T20:28:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-02T14:44:11.271608Z", "id": "CVE-2025-2513", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T14:44:24.101Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2513", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-02T14:44:11.271608Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T14:44:16.370Z"}}], "cna": {"title": "Smart Icons For WordPress <= 1.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "smartpixels", "product": "Smart Icons For WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-01T20:28:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5d8eac-fca9-4222-9a5f-a12748d298ec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smartifw/tags/1.0.4/includes/media.php#L3"}, {"url": "https://plugins.trac.wordpress.org/browser/smartifw/tags/1.0.4/smart_icons_for_wordpress.php#L86"}, {"url": "https://wordpress.org/plugins/smartifw/#developers"}], "descriptions": [{"lang": "en", "value": "The Smart Icons For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:21.630Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2513", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:21.630Z", "dateReserved": "2025-03-18T23:20:23.514Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-02T09:21:43.968Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Icons For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}, {"lang": "es", "value": "El complemento Smart Icons For WordPress es vulnerable a cross-site scripting almacenado al subir archivos SVG en todas las versiones hasta la 1.0.4 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes autenticados, con acceso de editor o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario al archivo SVG."}], "id": "CVE-2025-2513", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-02T10:15:19.540", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smartifw/tags/1.0.4/includes/media.php#L3"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smartifw/tags/1.0.4/smart_icons_for_wordpress.php#L86"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/smartifw/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5d8eac-fca9-4222-9a5f-a12748d298ec?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:30:35.807660+00:00", "value": {"mitigation_remediation": ["Update Smart Icons For WordPress to the latest available version, or remove the plugin if it is no longer supported.", "If an update is not available, disable the SVG upload feature or restrict it to administrators only.", "Implement a web application firewall or file\u2011upload sanitizer that strips disallowed tags from SVG content to prevent script injection."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have the Smart Icons For WordPress plugin (smartpixels:Smart Icons For WordPress) at version 1.0.4 or earlier are affected. Any site running this plugin and allowing SVG uploads is vulnerable.", "description_and_impact": "The Smart Icons For WordPress plugin permits users to upload SVG files, but the code fails to sanitize and escape user input. Consequently, an attacker with Editor-level or higher privileges can embed malicious script tags inside an SVG upload, causing those scripts to run whenever any site visitor loads the file. This stored cross\u2011site scripting flaw is a classic CWE\u201179 problem that can lead to session hijacking, defacement, or credential theft.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.4, indicating moderate severity. Its EPSS score is below 1%, suggesting that exploitation attempts are currently rare, and it is not listed in the CISA KEV catalog. However, because the flaw requires authenticated access with at least Editor rights, the attack vector is internal, so attackers must already have legitimate site access to exploit it."}}}}, "created": "2026-04-21T21:30:45.750734+00:00", "updated": "2026-04-21T21:30:45.750746+00:00", "vendors": []}