Home

Description

The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads

PUBLISHED Reserved 2025-08-26 | Published 2025-09-22 | Updated 2025-09-22 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 7.9.8
affected

Credits

NGUYEN HOANG DUY finder

WPScan coordinator

References

wpscan.com/...rability/b957b7c4-7a7c-497e-b8e4-499c821fb1b0/ exploit vdb-entry technical-description

cve.org (CVE-2025-9487)

nvd.nist.gov (CVE-2025-9487)

Download JSON