Mateus Machado Tesser

**Name of the Vulnerable Software and Affected Versions** Enable SVG, WebP & ICO Upload WordPress plugin versions 1.0.0 through 1.0.3 **Description** The issue is related to a Cross-Site Scripting vulnerability due to the lack of sanitization of SVG file contents. **Recommendations** For Enable SVG, WebP & ICO Upload WordPress plugin versions 1.0.0 through 1.0.3, update to a version that addresses the sanitization of SVG file contents to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Enable SVG Uploads WordPress plugin versions 2.1.5 and earlier **Description** The issue concerns the Enable SVG Uploads WordPress plugin, which fails to properly sanitise uploaded SVG files. This could potentially allow users with a role as low as Author to upload malicious SVG files containing XSS payloads. **Recommendations** For Enable SVG Uploads WordPress plugin versions 2.1.5 and earlier, update to a version that properly sanitises uploaded SVG files to prevent the upload of malicious content.

**Name of the Vulnerable Software and Affected Versions** File Manager Advanced Shortcode WordPress plugin versions 2.3.2 and earlier **Description** The issue arises from inadequate prevention of uploading files with disallowed MIME types when using the shortcode, leading to remote code execution (RCE) in cases where the allowed MIME type list does not include PHP files. This can be exploited by unauthenticated users in the worst-case scenario. **Recommendations** For versions 2.3.2 and earlier, update to a version that includes a fix for this issue to prevent the uploading of files with disallowed MIME types. As a temporary workaround, consider restricting access to the shortcode or disabling it until a patch is available. Restrict the allowed MIME type list to only include necessary file types to minimize the risk of exploitation.