CVE-2025-10700

Vulnerability

Overview

The Ally – Web Accessibility & Usability plugin for WordPress (versions up to and including 3.8.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the enable_unfiltered_files_upload function. The plugin fails to validate a nonce when processing the AJAX action ea11y_svg_upload, which is responsible for enabling unfiltered file uploads and adding SVG files toggling SVG support in the upload list [1]. This missing or incorrect nonce validation allows an attacker to forge requests on behalf of an authenticated administrator [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must trick a logged-in site administrator into performing an action such as clicking a malicious link or visiting a crafted page while logged into the WordPress admin panel. The vulnerable AJAX handler does check that the user has the manage_options capability, but because no CSRF nonce is required, an unauthenticated attacker can still trigger the state change by luring an admin to a hostile site [1]. No additional authentication or network access is needed beyond the admin's session is needed.

Impact

Successful exploitation enables unfiltered file uploads and adds SVG files to the allowed upload list. Since SVG files can contain embedded JavaScript and other interactive content, this weakens the site's security posture and increases the risk of stored cross-site scripting (XSS) attacks, data smuggling, and other content-based abuses [1].

Mitigation

The vendor has not yet released a patched version. As of the publication date, all versions up to and including 3.8.0 are affected. Site administrators should consider disabling the plugin or applying a Web Application Firewall (WAF) rule to block forged requests to the ea11y_svg_upload AJAX action until an official fix is available [1].