CVE-2023-6708

Name of the Vulnerable Software and Affected Versions SVG Support plugin for WordPress versions up to, and including, 2.5.5

Description The issue is related to Stored Cross-Site Scripting via the SVG upload feature due to insufficient input sanitization and output escaping. This allows authenticated attackers with author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful exploitation requires the administrator to allow author-level users to upload SVG files.

Recommendations For versions up to, and including, 2.5.5, consider disabling the SVG upload feature until a patch is available to prevent exploitation. Restrict access to the SVG upload feature to minimize the risk of arbitrary web script injection. Avoid allowing author-level users to upload SVG files until the issue is resolved.