Overview
A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Omnipress WordPress plugin. This vulnerability, tracked as CVE-2025-12163, affects versions up to and including 1.6.3. It allows authenticated attackers with Author-level permissions or higher to inject arbitrary web scripts into SVG files uploaded through the plugin. These scripts will then execute whenever a user accesses the affected SVG file.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping during the processing of SVG file uploads. Specifically, the Omnipress plugin fails to properly sanitize user-supplied data within SVG files before storing them on the server. This allows an attacker to inject malicious JavaScript code into an SVG file.
The following files within the Omnipress plugin code are implicated:
includes/Core/RestControllersBase.php(Line 81)includes/RestApi/Controllers/V1/FileUploadRestController.php(Line 57)includes/uploader/FileUploader.php(Line 106)includes/uploader/FileUploader.php(Line 85)
Attackers can leverage the WordPress REST API endpoints used by the Omnipress plugin to upload malicious SVG files. The lack of proper sanitization allows the injected script to be stored persistently, resulting in a stored XSS vulnerability.
CVSS Analysis
- CVE ID: CVE-2025-12163
- Severity: MEDIUM
- CVSS Score: 6.4
- CVSS Vector: (This would be a more specific vector, e.g., CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N – replace with actual vector if available, OWASP threat intel provides a good example.)
This vulnerability is rated as Medium due to the requirement of authentication (Author-level access or higher) and the need for a user to interact with the malicious SVG file for the script to execute. However, the potential impact of a successful XSS attack can still be significant.
Possible Impact
A successful exploitation of this vulnerability could allow an attacker to:
- Steal sensitive information, such as user cookies and session tokens.
- Deface the website.
- Redirect users to malicious websites.
- Gain administrative access to the WordPress site if an administrator views the malicious SVG.
- Inject malware into the website.
Since the vulnerability is Stored XSS, the impact can persist and affect multiple users accessing the compromised SVG file, making it a significant security concern.
Mitigation and Patch Steps
The most effective mitigation is to update the Omnipress plugin to the latest version as soon as a patched version becomes available. Contact the plugin developer for the latest security updates. In the meantime, consider these steps:
- Update to the latest version: Upgrade to the latest version of the Omnipress plugin if a patched version is released.
- Disable SVG uploads: If possible and not essential for your workflow, disable SVG file uploads in WordPress. You can use a plugin to restrict file types or configure your server to block SVG uploads.
- Implement strict Content Security Policy (CSP): Configure a CSP header to restrict the sources from which the browser can load resources, reducing the impact of XSS attacks.
- Monitor WordPress activity: Regularly monitor your WordPress site for suspicious activity, such as unauthorized file uploads or modifications.
References
CWE-434: Unrestricted Upload of File with Dangerous Type
OWASP: Unrestricted File Upload
Omnipress Plugin – RestControllersBase.php (Line 81)
Omnipress Plugin – FileUploadRestController.php (Line 57)
Omnipress Plugin – FileUploader.php (Line 106)
Omnipress Plugin – FileUploader.php (Line 85)
Wordfence Threat Intelligence Report
