CVE-2025-9487: 
WordPress vulnerability analysis and mitigation

The Admin and Site Enhancements (ASE) WordPress plugin versions prior to 7.9.8 contains an authenticated Stored Cross-Site Scripting (XSS) vulnerability via SVG file uploads. The vulnerability was discovered and disclosed on September 1, 2025, and is tracked as CVE-2025-9487 (WPScan).

The vulnerability exists because the plugin does not properly sanitize SVG files when uploaded through xmlrpc.php when such uploads are enabled. This allows authenticated users to upload malicious SVG files containing XSS payloads. The vulnerability has been assigned a CVSS score of 5.1 (medium severity) (WPScan).

If successfully exploited, this vulnerability could allow authenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the malicious SVG file, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 7.9.8 of the Admin and Site Enhancements plugin. Site administrators should update to this version or later to protect against this vulnerability. If immediate updating is not possible, administrators can disable SVG upload functionality as a temporary workaround (WPScan).