Stored Cross-Site Scripting Vulnerability in WP Extended Plugin for WordPress
CVE-2025-4963

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: The Ultimate WordPress Toolkit – WP Extended
Vendor: CVE Published:; 28 May 2025

What is CVE-2025-4963?

The WP Extended plugin for WordPress suffers from a stored cross-site scripting vulnerability that arises from inadequate input sanitization and output escaping mechanisms. This vulnerability specifically affects versions up to and including 3.0.15. Authenticated attackers with Author-level permissions or higher can exploit this flaw by uploading malicious SVG files. When these files are accessed, they can execute arbitrary web scripts within the context of the victim’s session, leading to potential data theft or other malicious actions.

Affected Version(s)

The Ultimate WordPress Toolkit – WP Extended * <= 3.0.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wpextended.io/module_resources/svg-file-upload/

https://wordpress.org/plugins/wpextended/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2025
Vulnerability Reserved
May 19, 2025

Credit

Rajan Kshedal