CVE-2024-2306

Name of the Vulnerable Software and Affected Versions Revslider plugin for WordPress versions up to, and including, 6.6.20

Description The issue is related to Stored Cross-Site Scripting via svg upload due to insufficient input sanitization and output escaping. This allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure revslider can be extended to authors.

Recommendations For versions up to, and including, 6.6.20, update to a version higher than 6.6.20 to resolve the issue. As a temporary workaround, consider restricting access to the svg upload feature to minimize the risk of exploitation. Additionally, limit the ability to use and configure revslider to only trusted administrators to reduce the potential attack surface.