CVE-2025-2541: 
WordPress vulnerability analysis and mitigation

The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via SVG File uploads in versions up to and including 2.6.22. The vulnerability was discovered and disclosed on April 11, 2025. This security issue affects authenticated users with Author-level access and above, allowing them to inject arbitrary web scripts through SVG file uploads that execute when users access the file (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality. It has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers to inject malicious web scripts that execute in the context of other users' browsers when they access the compromised SVG file. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (NVD).

The vulnerability has been patched in version 2.6.23 of the WP Project Manager plugin. The update includes SVG file upload sanitization and security improvements. Users are strongly advised to update to this version immediately. The patch implements proper sanitization of SVG files during upload and improved security checks (WordPress Plugin).