CVE-2022-33994

Name of the Vulnerable Software and Affected Versions Gutenberg plugin versions through 13.7.3 for WordPress

Description The issue allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. The XSS payload does not execute in the context of the WordPress instance's domain. However, some similar products block analogous attempts by low-privileged users to reference SVG documents, and this behavioral difference might have security relevance to some WordPress site administrators.

Recommendations For versions through 13.7.3, consider disabling the "Insert from URL" feature until a patch is available to prevent exploitation. Restrict access to the SVG document upload functionality to minimize the risk of stored XSS attacks.