EUVD-2025-197959

🗓️ 18 Nov 2025 12:30:18Reported by EUVDType

Stored cross site scripting in WordPress SVG upload plugin enables authors to inject scripts via SVG uploads.

Reporter	Title	Published	Views	Family All 9
CNNVD	WordPress plugin Enable SVG, WebP, and ICO Upload 跨站脚本漏洞	18 Nov 202500:00	–	cnnvd
CVE	CVE-2025-12457	18 Nov 202509:27	–	cve
Cvelist	CVE-2025-12457 Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads	18 Nov 202509:27	–	cvelist
NVD	CVE-2025-12457	18 Nov 202510:15	–	nvd
Patchstack	WordPress Enable SVG, WebP, and ICO Upload plugin <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads vulnerability	18 Nov 202504:45	–	patchstack
Positive Technologies	PT-2025-47280	18 Nov 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-12457	19 Nov 202510:23	–	redhatcve
Vulnrichment	CVE-2025-12457 Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads	18 Nov 202509:27	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025)	26 Nov 202515:02	–	wordfence

[
  {
    "enisaIdVendor": [
      {
        "id": "967bfe58-6e12-31c3-84c7-0f79be8c0d88",
        "vendor": {
          "name": "ideasToCode"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "ae49bd5f-cd15-3717-b3c9-147402ab91b2",
        "product": {
          "name": "Enable SVG, WebP, and ICO Upload"
        },
        "product_version": "* ≤1.1.2"
      }
    ]
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/d5f267a5-012d-4b9a-a59d-9eccb04c557a
plugins	www.plugins.trac.wordpress.org/browser/enable-svg-webp-ico-upload/tags/1.1.2/includes/class-svg.php
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-12457

18 Nov 2025 12:30Current

4.7Medium risk

Vulners AI Score4.7

CVSS 3.16.4

EPSS0.0002

SSVC