CVE-2025-2544: 
WordPress vulnerability analysis and mitigation

The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via SVG File uploads in all versions up to, and including, 1.6. The vulnerability was discovered and disclosed on April 4, 2025. The plugin allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages through SVG file uploads, which execute when users access the SVG file (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's file upload functionality, specifically for SVG files. The issue is present in the MIME type handling function 'aicontentpipelinesoneupcustommimetypes' where SVG files are allowed without proper sanitization. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (Wordfence Intel).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when viewing affected SVG files. This can lead to potential data theft, session hijacking, or other client-side attacks against site visitors. The impact is heightened by the persistent nature of the stored XSS, affecting any user who accesses the compromised SVG file (NVD CVE).

The plugin has been temporarily closed as of April 3, 2025, pending a full security review. Site administrators should either remove the plugin or disable SVG upload capabilities until a patched version is released. Additionally, administrators should review and potentially remove any previously uploaded SVG files (WordPress Plugin).