CVE-2025-9487

The Admin and Site Enhancements (ASE) WordPress plugin versions prior to 7.9.8 contain a stored cross-site scripting vulnerability due to insufficient sanitization of SVG files uploaded through the XML-RPC interface (xmlrpc.php). When SVG uploads are enabled, the plugin does not strip potentially malicious JavaScript from SVG metadata or embedded scripts, allowing users to upload crafted SVG files containing XSS payloads [1].

Exploitation requires an authenticated user with the ability to upload files via XML-RPC. The attacker uploads a malicious SVG file that, when accessed or viewed by other users (such as administrators), executes JavaScript in the context of the victim's browser. The XSS payload can be used to perform actions on behalf of the victim, such as modifying site content or stealing session cookies [1].

The impact of this vulnerability is medium severity (CVSS 4.7). An authenticated attacker can inject arbitrary web scripts, which may lead to account compromise, data theft, or defacement of the WordPress site. The flaw does not require a privileged role beyond the ability to upload media via XML-RPC [1].

The vulnerability has been patched in version 7.9.8 of the plugin. Users are advised to update immediately. No workaround is currently available for older versions [1].