CVE-2024-11847

Name of the Vulnerable Software and Affected Versions wp-svg-upload WordPress plugin version 1.0.0

Description The issue concerns the wp-svg-upload WordPress plugin, which does not sanitize SVG file contents. This enables users with at least the author role to upload SVG files with malicious JavaScript, allowing them to conduct Stored XSS attacks.

Recommendations For version 1.0.0, consider disabling the ability to upload SVG files until a patch is available to prevent Stored XSS attacks. Restrict access to the plugin's functionality for users with the author role and below to minimize the risk of exploitation. Avoid using the plugin to upload SVG files with JavaScript content until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.