{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4963", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-19T19:18:31.576Z", "datePublished": "2025-05-28T09:22:13.823Z", "dateUpdated": "2026-04-08T17:31:04.737Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:04.737Z"}, "affected": [{"vendor": "wpextended", "product": "The Ultimate WordPress Toolkit \u2013 WP Extended", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabdd744-1a72-40f2-b569-f56a1b913273?source=cve"}, {"url": "https://wpextended.io/module_resources/svg-file-upload/"}, {"url": "https://wordpress.org/plugins/wpextended/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3300818/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rajan Kshedal"}], "timeline": [{"time": "2025-05-27T20:29:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-28T13:27:08.521386Z", "id": "CVE-2025-4963", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T13:27:29.848Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4963", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-28T13:27:08.521386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T13:27:13.686Z"}}], "cna": {"title": "WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Rajan Kshedal"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpextended", "product": "The Ultimate WordPress Toolkit \u2013 WP Extended", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-27T20:29:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabdd744-1a72-40f2-b569-f56a1b913273?source=cve"}, {"url": "https://wpextended.io/module_resources/svg-file-upload/"}, {"url": "https://wordpress.org/plugins/wpextended/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3300818/"}], "descriptions": [{"lang": "en", "value": "The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:04.737Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4963", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:04.737Z", "dateReserved": "2025-05-19T19:18:31.576Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-28T09:22:13.823Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}, {"lang": "es", "value": "El complemento WP Extended para WordPress es vulnerable a Cross-Site Scripting almacenado al subir archivos SVG en todas las versiones hasta la 3.0.15 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario al archivo SVG."}], "id": "CVE-2025-4963", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-28T10:15:21.687", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3300818/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpextended/#developers"}, {"source": "security@wordfence.com", "url": "https://wpextended.io/module_resources/svg-file-upload/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabdd744-1a72-40f2-b569-f56a1b913273?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:44:15.260597+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Extended plugin to version 3.0.16 or newer, which implements proper SVG sanitization and output escaping.", "If an upgrade is not immediately possible, restrict SVG uploads to trusted administrators only or disable SVG file uploads entirely until a patch is applied.", "Implement or strengthen Content Security Policy headers to block inline script execution, reducing the risk of XSS from uploaded SVG content."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the WP Extended plugin up to and including version 3.0.15. Users of earlier releases must install the plugin from the WordPress repository or from the vendor\u2019s website, and verify that the plugin version is 3.0.15 or older.", "description_and_impact": "The WP Extended plugin allows authenticated users with Author level or higher to upload SVG files that are stored without proper sanitization or escaping. This flaw permits the injection of arbitrary JavaScript, which will execute when any user views the SVG file. The weakness is classified as CWE\u201179, indicating a failure to protect against cross\u2011site scripting attacks.", "risk_and_exploitability": "The CVSS score of 6.4 reflects a moderate severity. The EPSS score indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker needs authenticated access at the Author level or higher and must upload a malicious SVG. Once uploaded, any user who opens the SVG will cause the injected script to run, potentially allowing the attacker to steal session data, deface the site, or further exploit client browsers. Due to the authentication requirement, the potential impact is limited to sites with compromised author accounts but can be severe for site visitors if their session is hijacked."}}}}, "created": "2026-04-20T22:45:20.548328+00:00", "updated": "2026-04-20T22:45:20.548338+00:00", "vendors": []}