CVE-2025-1725: 
WordPress vulnerability analysis and mitigation

The Bit File Manager WordPress plugin (versions up to 6.7) contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-1725. The vulnerability was discovered and disclosed on June 3, 2025. This security flaw affects the plugin's file upload functionality, specifically when handling SVG files, due to insufficient input sanitization and output escaping (NVD, Wiz).

The vulnerability stems from inadequate input sanitization and output escaping mechanisms when processing SVG file uploads in the Bit File Manager plugin. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts through SVG file uploads. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially compromising the security of the WordPress installation (NVD).

Users are advised to update to a version newer than 6.7 when available. In the interim, it is recommended to restrict SVG file upload capabilities and implement additional input validation for file uploads (Wiz).