Admin and Site Enhancements < 7.9.8 - Authenticated Stored XSS...

4.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Description

The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads

Basic Information

ID CVE-2025-9487

Source WPScan

Published Sep 22, 2025 at 06:00

Modified Sep 22, 2025 at 16:10

Affected Product

Vendor Unknown

Product Admin and Site Enhancements (ASE)

Affected Versions Unknown Admin and Site Enhancements (ASE) 0

CWE Classification

References

wpscan.com /vulnerability/b957b7c4-7a7c-497e-b8e4-499c821fb1b0/

{
    "lastseen": "",
    "description": "The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads",
    "published": "2025-09-22T06:00:14.172Z",
    "modified": "2025-09-22T16:10:43.154Z",
    "type": "cve",
    "title": "Admin and Site Enhancements < 7.9.8 - Authenticated Stored XSS via SVG",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/b957b7c4-7a7c-497e-b8e4-499c821fb1b0/",
    "id": "CVE-2025-9487",
    "bulletinFamily": "",
    "cwe": [
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown Admin and Site Enhancements (ASE) 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Admin and Site Enhancements (ASE)",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Admin and Site Enhancements < 7.9.8 - Authenticated Stored XSS via SVG_CVE-2025-9487