Stored Cross-Site Scripting Vulnerability in Bit File Manager for WordPress
CVE-2025-1725

6.4MEDIUM

What is CVE-2025-1725?

The Bit File Manager plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping when handling SVG file uploads. Authenticated users with Subscriber-level access or higher can exploit this flaw to inject arbitrary scripts that execute when others access the compromised SVG files, posing a significant security risk to websites utilizing this plugin.

Affected Version(s)

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress * <= 6.7

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

TANG Cheuk Hei
.
CVE-2025-1725 : Stored Cross-Site Scripting Vulnerability in Bit File Manager for WordPress