CVE-2025-12163

Vulnerability

Overview

The Omnipress plugin for WordPress, in all versions up to and including 1.6.5, contains a Stored Cross-Site Scripting (XSS) vulnerability arising from insufficient input sanitization and output escaping during SVG file uploads [1]. This flaw falls under CWE-434 (Unrestricted Upload of File with Dangerous Type), as the plugin fails to properly validate or sanitize SVG files, which can contain embedded JavaScript [1][2].

Exploitation

Prerequisites

An attacker must be authenticated with at least Author-level access to the WordPress site. The attacker can then upload a malicious SVG file containing arbitrary web scripts. When any user (including administrators or visitors) accesses the uploaded SVG file, the injected script executes in the context of the victim's browser [1]. No additional privileges or network position are required beyond the authenticated session.

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript or other web scripts into pages viewed by other users. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies or authentication tokens. The stored nature of the XSS means the payload persists until the malicious file is removed [1].

Mitigation

As of the publication date, no patched version has been released. Users are advised to restrict SVG upload capabilities for Author-level users or disable SVG uploads entirely until an update is available. The vendor has not yet provided a fix [1].