Ally – Web Accessibility & Usability is a widely deployed WordPress plugin (400k+ installs) that enhances accessibility and content usability across themes and page builders. During security testing, we identified CVE-2025-10700, a Cross-Site Request Forgery (CSRF) flaw that allows a malicious site to trick a logged-in administrator’s browser into enabling “unfiltered SVG uploads” via the plugin’s AJAX action. Although the handler correctly checks current_user_can('manage_options'), it does not validate a CSRF nonce, meaning an admin merely visiting a hostile page can have their upload policy silently weakened. Because SVG is effectively an XML/HTML container with scriptable/interactive capabilities, forcibly enabling unfiltered SVG support increases exposure to SVG-borne XSS, data smuggling, and stored-content abuse in environments where other defenses are imperfect or later regress.
| CVE | CVE-2025-10700 |
| Plugin Version | Ally – Web Accessibility & Usability <= 3.8.0 |
| Critical | High |
| All Time | 2 916 493 |
| Active installations | 400 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10700 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pojo-accessibility/ally-web-accessibility-usability-380-cross-site-request-forgery-to-plugin-settings-update |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 11, 2025 | Plugin testing and vulnerability detection in the Ally – Web Accessibility & Usability have been completed |
| September 11, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-10700 |
Discovery of the Vulnerability
The plugin exposes an admin-AJAX action ea11y_svg_upload which, when invoked, calls enable_unfiltered_files_upload() to toggle an allow-SVG setting and register the SVG MIME type for the current admin context. The callback does check privileges (manage_options) but omits any anti-CSRF mechanism(check_ajax_referer() / nonce). In practice, a hostile page can auto-submit a POST to /wp-admin/admin-ajax.phpwith action=ea11y_svg_upload, and the victim’s authenticated browser will complete the request without further interaction. In testing, this immediately flipped the plugin’s internal flag and updated WordPress’ MIME acceptance state for SVG, with no confirmation UI and no additional safety checks.
Understanding of CSRF attack’s
The plugin exposes an admin-AJAX action ea11y_svg_upload which, when invoked, calls enable_unfiltered_files_upload() to toggle an allow-SVG setting and register the SVG MIME type for the current admin context. The callback does check privileges (manage_options) but omits any anti-CSRF mechanism(check_ajax_referer() / nonce). In practice, a hostile page can auto-submit a POST to /wp-admin/admin-ajax.phpwith action=ea11y_svg_upload, and the victim’s authenticated browser will complete the request without further interaction. In testing, this immediately flipped the plugin’s internal flag and updated WordPress’ MIME acceptance state for SVG, with no confirmation UI and no additional safety checks.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-10700, an attacker with no cookies:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="ea11y_svg_upload" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>____
Forced acceptance of unfiltered SVG expands the attack surface: a compromised author account (or a future admin action) could upload an SVG with inline JavaScript or external references that execute when embedded via image blocks, custom HTML, or theme components. In editorial workflows, SVGs often bypass the scrutiny given to JS/HTML files, enabling stealth cross-page beacons or credential-harvesting overlays. In multi-admin environments, one admin’s coerced policy change can silently affect all subsequent uploads; the risk compounds if the site relies on downstream caching/CDN where malicious SVGs persist. Even if your current theme strips script tags, SVG’s flexibility (e.g., animate, foreignObject, xlink:href) has historically provided numerous gadget surfaces when sanitization is incomplete.
Recommendations for Improved Security
For the plugin vendor
- Add CSRF protection: require a valid nonce in the AJAX handler via
check_ajax_referer( 'ea11y_svg_upload', 'security' )and reject requests without it. - Harden the route: restrict to POST only, verify
current_user_can('manage_options')before changing settings, and return explicit success/failure JSON. - Safe defaults: keep SVG disabled or sanitized-only by default; if providing an “unfiltered” mode, present clear warnings and require an explicit admin UI action with a one-time confirmation.
- Prefer allow-list MIME logic: wire uploads through a sanitizer (e.g.,
enshrined/svg-sanitizer) and enforce strict policies for SVG usage locations (block rendering in unsafe contexts). - Audit other AJAX/REST routes for missing
check_ajax_referer()to avoid similar CSRF vectors.
For site owners / administrators
- Update Ally to a patched version as soon as available.
- Apply a CSP (e.g., disallow inline scripts; regulate
object-src,img-src, andframe-src) to limit SVG exploitability even if uploaded. - Enforce sanitization: if SVG is necessary, route through a sanitizer plugin and restrict upload permissions to trusted roles.
- Cookie hardening: consider
SameSite=Lax/Strictfor auth cookies (mind admin workflows) and avoid browsing untrusted sites while logged in as admin. - Monitoring & review: alert on MIME policy changes and periodically scan uploads for SVG files with suspicious elements (
script,foreignObject, external references).
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-10700 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.