CVE-2024-7301

Name of the Vulnerable Software and Affected Versions WordPress File Upload plugin versions up to and including 4.24.8

Description The issue concerns a Stored Cross-Site Scripting vulnerability via SVG file uploads, affecting the WordPress File Upload plugin. This vulnerability is due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the uploaded SVG file.

Recommendations For WordPress File Upload plugin versions up to and including 4.24.8, update to a version higher than 4.24.8 to resolve the issue. As a temporary workaround, consider restricting access to SVG file uploads until a patch is applied. Additionally, avoid using the plugin's file upload functionality for SVG files until the issue is resolved.