CVE-2025-3056

Vulnerability

The WordPress Download Manager plugin, in all versions up to and including 3.3.12, contains a Stored Cross-Site Scripting (XSS) vulnerability via SVG file uploads. The plugin fails to properly sanitize uploaded SVG files and escape output, allowing malicious scripts to be stored. [1]

Exploitation

An authenticated attacker with at least Author-level access can upload a crafted SVG file containing embedded JavaScript. When any user (including administrators) views the SVG file, the script executes in their browser.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session cookie theft, website defacement, or redirection to malicious sites. The vulnerability is considered medium severity (CVSS 5.4) due to the authentication requirement and user interaction required to view the file.

Mitigation

The issue is addressed in version 3.3.13 of the plugin. Users are strongly advised to update to the latest version (3.3.55 as of the advisory) where the vulnerability is patched. [1] Alternatively, administrators can restrict SVG file upload capabilities for lower-privileged users or disable SVG uploads entirely if not needed.