Primary

Context

WebsiteBaker Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in WebsiteBaker version 2.13.3. This issue allows authenticated users to upload malicious SVG files containing embedded JavaScript. When these crafted SVG files are viewed, the JavaScript executes, leading to persistent cross-site scripting attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute embedded JavaScript when accessed, potentially leading to malicious actions being performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log into an account on WebsiteBaker 2.13.3. Navigate to the media section and upload an SVG file containing a script tag with JavaScript, such as one that alerts the document location. After uploading, access the SVG file through the media directory to trigger the JavaScript execution.

Added: Dec 16, 2025, 5:51 PM

Updated: Dec 16, 2025, 7:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WebsiteBaker Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Reproduction

Affected Products

WebsiteBaker

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating