CVE-2021-24386

Name of the Vulnerable Software and Affected Versions WP SVG images WordPress plugin versions prior to 3.4

Description The issue allows low privilege users, such as author+, to upload malicious SVG files, which could lead to XSS attacks by inducing another user to access the file directly. The plugin has been updated to restrict such uploads to editors and admin, with an option to also allow authors to upload. A security warning has been added to the plugin description.

Recommendations For versions prior to 3.4, update to version 3.4 or later, which restricts the upload of SVG files to editors and admin, and includes an option to allow authors to upload. As a temporary workaround, consider restricting the upload of SVG files to trusted users until the update is applied.