CVE-2025-4963
📋 TL;DR
The WP Extended plugin for WordPress has a stored XSS vulnerability in SVG file upload functionality. Authenticated attackers with Author-level permissions or higher can upload malicious SVG files containing JavaScript that executes when users view those files. This affects all WordPress sites using WP Extended plugin versions up to 3.0.15.
💻 Affected Systems
- WP Extended WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with author accounts inject malicious scripts to steal visitor session cookies or credentials, potentially compromising user accounts.
If Mitigated
With proper user access controls and content security policies, impact is limited to the specific SVG files uploaded by malicious authors.
🎯 Exploit Status
Exploitation requires authenticated access with at least Author privileges. SVG file upload with embedded JavaScript is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.16 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3300818/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Extended plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 3.0.16+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable SVG Uploads
allPrevent SVG file uploads through WordPress filters
Add to theme's functions.php: add_filter('upload_mimes', function($mimes) { unset($mimes['svg']); unset($mimes['svgz']); return $mimes; });
Restrict Author Role Access
allTemporarily remove upload capabilities from Author roles
Add to theme's functions.php: add_action('admin_init', function() { $role = get_role('author'); if($role) { $role->remove_cap('upload_files'); } });
🧯 If You Can't Patch
- Disable WP Extended plugin completely until patched
- Implement Content Security Policy (CSP) headers to restrict script execution from SVG files
🔍 How to Verify
Check if Vulnerable:
Check WP Extended plugin version in WordPress admin under Plugins > Installed PluginsCheck Version:
wp plugin list --name=wpextended --field=versionVerify Fix Applied:
Verify plugin version is 3.0.16 or higher and test SVG upload with script tags to confirm sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by Author-level users
- Multiple failed SVG upload attempts
- Admin user viewing SVG files from suspicious authors
Network Indicators:
- Requests to SVG files with suspicious parameters
- Outbound connections from SVG file views to external domains
SIEM Query:
source="wordpress.log" AND ("svg" OR ".svg") AND ("upload" OR "author")