{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2576", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-20T21:32:28.756Z", "datePublished": "2025-03-26T02:23:48.216Z", "dateUpdated": "2026-04-08T16:57:18.044Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:18.044Z"}, "affected": [{"vendor": "themerox", "product": "Ayyash Studio \u2014 The kick-start kit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ayyash Studio \u2014 The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "Ayyash Studio <= 1.0.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/634fa1ed-ad6b-4875-b6f9-f20add39dc80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L351"}, {"url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L37"}, {"url": "https://wordpress.org/plugins/ayyash-studio/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "timeline": [{"time": "2025-03-25T14:11:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-26T14:42:40.567250Z", "id": "CVE-2025-2576", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T14:43:03.100Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2576", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-26T14:42:40.567250Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T14:42:43.532Z"}}], "cna": {"title": "Ayyash Studio <= 1.0.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themerox", "product": "Ayyash Studio \u2014 The kick-start kit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-25T14:11:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/634fa1ed-ad6b-4875-b6f9-f20add39dc80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L351"}, {"url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L37"}, {"url": "https://wordpress.org/plugins/ayyash-studio/#developers"}], "descriptions": [{"lang": "en", "value": "The Ayyash Studio \u2014 The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:18.044Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2576", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:18.044Z", "dateReserved": "2025-03-20T21:32:28.756Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-26T02:23:48.216Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ayyash Studio \u2014 The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}, {"lang": "es", "value": "El complemento Ayyash Studio \u2014 The kick-start kit para WordPress es vulnerable a Cross-Site Scripting Almacenado al subir archivos SVG en todas las versiones hasta la 1.0.3 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario al archivo SVG."}], "id": "CVE-2025-2576", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-26T03:15:13.213", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L351"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ayyash-studio/tags/1.0.3/includes/Importer/Wxr/StudioImporter.php#L37"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ayyash-studio/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/634fa1ed-ad6b-4875-b6f9-f20add39dc80?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:14:31.434047+00:00", "value": {"mitigation_remediation": ["Check for and install any newer version of Ayyash Studio that contains the fix if it is available.", "If no update exists, restrict SVG file uploads for Author and higher roles by disabling the SVG MIME type or using a role\u2011management plugin to remove upload capability for those roles.", "Apply server\u2011side sanitization to SVG uploads, for example by using WordPress\u2019s wp_kses or a similar filtering function to remove script elements before the file is stored."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Ayyash Studio \u2013 The kick\u2011start kit plugin for WordPress up to and including version 1.0.3 are affected. The plugin is distributed by themerox and installed on WordPress sites that grant author\u2011level access for content upload.", "description_and_impact": "The Ayyash Studio plugin for WordPress contains a stored cross\u2011site scripting flaw where authenticated users with Author-level or higher access can upload SVG files that are not properly sanitized or escaped. Malicious JavaScript can be embedded inside these SVG files, which the plugin stores and then serves to any user who opens the file. The injected script runs in the victim\u2019s browser when the file is viewed, exposing the site to client\u2011side code execution.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently rare. The flaw is not listed in the CISA KEV catalog. Attacking this vulnerability requires an authenticated account with Author or higher privileges, after which an attacker can upload a malicious SVG. Once stored, the payload executes automatically for any user who accesses the file, creating a persistent client\u2011side attack vector."}}}}, "created": "2026-04-22T04:15:07.541212+00:00", "updated": "2026-04-22T04:15:07.541222+00:00", "vendors": []}