| Plugin Name | Easy SVG Support |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2025-12451 |
| Urgency | Low |
| CVE Publish Date | 2026-02-18 |
| Source URL | CVE-2025-12451 |
Urgent Security Advisory: Authenticated (Author) Stored XSS via SVG Upload in Easy SVG Support (≤ 4.0)
Author: Hong Kong Security Expert
Date: 18 Feb 2026
Affected plugin: Easy SVG Support (WordPress)
Vulnerable versions: ≤ 4.0
Fixed in: 4.1
CVE: CVE-2025-12451
Severity (site impact): Low (CVSS ~5.9) — context matters
Executive summary
Easy SVG Support up to version 4.0 fails to adequately validate and sanitize uploaded SVG files. An authenticated user with Author (or higher) privileges can upload crafted SVGs containing embedded script, event handlers, or javascript: URIs. When such SVGs are stored and later rendered in contexts that allow script execution, a stored Cross‑Site Scripting (XSS) condition can occur. Update to Easy SVG Support 4.1 or later as the definitive fix. If immediate update is not possible, apply the mitigations in this advisory.
What happened?
The plugin accepted and stored SVG files without sufficient server-side sanitization. An authenticated user with the ability to upload media can embed executable constructs in an SVG. When an administrator or other privileged user views the page or media item where the SVG is rendered inline, the embedded script can execute in that user’s browser, potentially performing actions in the context of their session.
- Attack vector: Authenticated upload of a crafted SVG file.
- Required privilege: Author (authors can upload media by default on many WordPress sites).
- Exploit type: Stored XSS in site content delivered to other users (including admins).
- Fixed in: Easy SVG Support 4.1.
- Detection indicators: SVG attachments containing
