SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting

Vulnerability

The SVG Support WordPress plugin (versions before 2.3.20) fails to escape the "CSS Class to target" setting before outputting it in an attribute [1]. This allows high-privilege users, such as administrators, to inject arbitrary JavaScript even when the unfiltered_html capability is disallowed [1]. The vulnerability is exploitable through the plugin's settings page.

Exploitation

An attacker with administrative or equivalent high-privilege access to a WordPress site running SVG Support < 2.3.20 [1]. The attacker navigates to the plugin settings, locates the "CSS Class to target" field, and injects a payload containing malicious JavaScript [1]. The payload is stored in the database and executed when the settings page is rendered for any user with access (including other admins or lower-privileged users if the setting output appears in other contexts) [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS) [1]. The attacker can execute arbitrary JavaScript in the context of any user who views the affected admin page [1]. This can result in session hijacking, defacement, or theft of sensitive information. The impact is limited to users with access to the WordPress admin dashboard, but due to the stored nature, it can propagate to other administrators.

Mitigation

The vulnerability is fixed in version 2.3.20 of SVG Support [1]. Affected users should update immediately. No known workarounds are documented. The plugin is actively maintained and no EOL status has been indicated. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.