CVE-2025-12880

Vulnerability

Analysis

The Progress Bar Blocks for Gutenberg plugin (progressmatify) for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 1.0.0. The root cause is insufficient input sanitization and output escaping when handling SVG file uploads. This allows attackers to embed malicious JavaScript within SVG images [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access with at least Author-level privileges (or higher, such as Editor or Administrator). The attacker uploads a crafted SVG file containing arbitrary JavaScript code. When any user subsequently accesses the uploaded SVG file (e.g., by viewing a page or post containing it), the injected script executes in the context of the victim's browser session [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting, which can lead to session hijacking, credential theft, defacement of WordPress pages, or distribution of malware. The plugin has been closed as of November 7, 2025, due to this security issue [1].

Mitigation

Users should immediately remove the plugin from their WordPress installations and replace it with an alternative. As the plugin is no longer available for download, no patch is forthcoming; sites using version 1.0.0 or earlier are effectively vulnerable and must deactivate or delete it [1].