Luan Pedersini

**Name of the Vulnerable Software and Affected Versions** Allow SVG Files WordPress plugin versions 1.1 and earlier **Description** The issue concerns the Allow SVG Files WordPress plugin, which fails to sanitize uploaded SVG files. This could allow users with a role as low as Author to upload malicious SVG files containing XSS payloads. **Recommendations** For Allow SVG Files WordPress plugin versions 1.1 and earlier, consider disabling the SVG upload feature until a patch is available to prevent potential XSS attacks. Restrict access to the plugin's upload functionality to minimize the risk of exploitation. Avoid using the plugin for uploading SVG files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Easy SVG Support WordPress plugin versions prior to 3.3.0 **Description** The issue concerns the Easy SVG Support WordPress plugin, which does not properly sanitise uploaded SVG files. This could allow users with a role as low as Author to upload a malicious SVG file containing XSS payloads. **Recommendations** For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Import Export All WordPress Images, Users & Post Types WordPress plugin versions prior to 6.5.3 **Description** The issue concerns the lack of full validation for files to be imported via URL, which could allow high-privilege users, such as admins, to perform Blind SSRF (Server-Side Request Forgery) attacks. This occurs because the plugin makes an HTTP request to the file without properly checking its validity. **Recommendations** For versions prior to 6.5.3, update to version 6.5.3 or later to resolve the issue. As a temporary workaround, consider restricting the import functionality to trusted sources or disabling it until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Allow svg files WordPress plugin versions prior to 1.1 **Description** The issue concerns the improper validation of uploaded files, which could allow high-privilege users, such as administrators, to upload PHP files even when they are not supposed to. This could potentially lead to security breaches. **Recommendations** For versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting file upload permissions for high-privilege users until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Enable SVG WordPress plugin versions prior to 1.4.0 **Description** The issue concerns the Enable SVG WordPress plugin, which does not properly sanitize uploaded SVG files. This could allow users with a role as low as Author to upload malicious SVG files containing XSS payloads. **Recommendations** For versions prior to 1.4.0, update to version 1.4.0 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload SVG files to higher roles until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** External Media without Import WordPress plugin versions 1.1.2 and earlier **Description** The issue allows any authenticated users to perform blind SSRF attacks due to the lack of authorization and validation of media sources. This could potentially enable attackers to access internal resources. **Recommendations** For External Media without Import WordPress plugin versions 1.1.2 and earlier, update to a version that includes proper authorization and validation of media sources to prevent blind SSRF attacks.

**Name of the Vulnerable Software and Affected Versions** EXMAGE WordPress plugin versions prior to 1.0.7 **Description** The issue arises because the plugin does not properly verify if images added via URLs are external, potentially leading to a blind Server-Side Request Forgery (SSRF) issue when using local URLs. **Recommendations** For versions prior to 1.0.7, update to version 1.0.7 or later to resolve the issue. As a temporary workaround, consider restricting the ability to add images via URLs to minimize the risk of exploitation.