CVE-2018-11564

Name of the Vulnerable Software and Affected Versions YOOtheme Pagekit versions 1.0.13 and earlier

Description The issue allows a user to upload malicious code via the picture upload feature, specifically by uploading a photo in SVG format. This file is not stripped or filtered by the system. An attacker can create a link on the website pointing to "/storage/poc.svg" which triggers a XSS attack when clicked.

Recommendations For YOOtheme Pagekit versions 1.0.13 and earlier, consider disabling the picture upload feature, especially for users with elevated privileges, until a fix is available. Restrict access to the "/storage/" directory to minimize the risk of exploitation. Avoid using the picture upload feature in SVG format until the issue is resolved.