Nathanial Lattimer

**Name of the Vulnerable Software and Affected Versions** SVG Support plugin for WordPress versions up to, and including, 2.5.5 **Description** The issue is related to Stored Cross-Site Scripting via the SVG upload feature due to insufficient input sanitization and output escaping. This allows authenticated attackers with author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful exploitation requires the administrator to allow author-level users to upload SVG files. **Recommendations** For versions up to, and including, 2.5.5, consider disabling the SVG upload feature until a patch is available to prevent exploitation. Restrict access to the `SVG upload` feature to minimize the risk of arbitrary web script injection. Avoid allowing author-level users to upload SVG files until the issue is resolved.