Stored Cross-Site Scripting Vulnerability in BSK PDF Manager Plugin for WordPress
CVE-2025-4970

5.5MEDIUM

Key Information:

Vendor

WordPress
Status
Bsk PDF Manager
Vendor
CVE Published:
12 December 2025

What is CVE-2025-4970?

The BSK PDF Manager plugin for WordPress contains a security flaw allowing for Stored Cross-Site Scripting. This vulnerability stems from inadequate input sanitization and output escaping, specifically regarding SVG file uploads. Authenticated attackers with Administrator-level access can exploit this weakness to inject malicious web scripts. This risk primarily affects multi-site installations and those where the unfiltered_html option is disabled, posing a significant threat to user security when accessing the SVG files.

Affected Version(s)

BSK PDF Manager * <= 3.7.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/bsk-pdf-manager/#developers
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rajan Kshedal
JSON
.
CVE-2025-4970 : Stored Cross-Site Scripting Vulnerability in BSK PDF Manager Plugin for WordPress