CVE-2022-4022

Name of the Vulnerable Software and Affected Versions SVG Support plugin for WordPress versions 2.5 through 2.5.1

Description The SVG Support plugin for WordPress defaults to insecure settings, allowing authenticated attackers with author-level privileges and higher to upload malicious SVG files. These files can contain malicious JavaScript and are not sanitized by the plugin. The embedded JavaScript can be triggered when visiting the image URL, enabling an attacker to execute malicious code in browsers visiting that URL.

Recommendations For version 2.5, enable sanitization of uploaded images and restrict SVG upload to only administrators. For version 2.5.1, enable sanitization of uploaded images and restrict SVG upload to only administrators.