vulnerability
WordPress Plugin: enable-svg-webp-ico-upload: CVE-2025-13069: Unrestricted Upload of File with Dangerous Type
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Nov 17, 2025 | Dec 15, 2025 | Dec 15, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Nov 17, 2025
Added
Dec 15, 2025
Modified
Dec 15, 2025
Description
The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.3. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Solution
enable-svg-webp-ico-upload-plugin-cve-2025-13069
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.