Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG
Description
The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Enable SVG plugindescription
- Range: <1.4.0
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of uploaded SVG files allows injection of arbitrary JavaScript."
Attack vector
An attacker with a role as low as Author uploads a crafted SVG file containing embedded JavaScript (XSS payload) via the WordPress media uploader [ref_id=1]. Because the plugin does not sanitize SVG files, the malicious SVG is stored on the server and served to other users. When a victim views a page or post that renders the SVG, the JavaScript executes in their browser session, leading to stored cross-site scripting [CWE-79].
Affected code
The Enable SVG WordPress plugin (versions before 1.4.0) fails to sanitize uploaded SVG files. The advisory does not specify exact file paths or function names, but the vulnerability lies in the SVG upload handling code that processes media uploads for users with Author-level access or higher.
What the fix does
The advisory states the vulnerability is fixed in version 1.4.0 of the Enable SVG plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably introduces sanitization of SVG file contents during upload, stripping or escaping executable JavaScript before the file is stored. Users should update to version 1.4.0 or later.
Preconditions
- authAttacker must have at least Author-level role on the WordPress site
- configThe Enable SVG plugin must be installed and active in a version before 1.4.0
- inputAttacker must be able to upload media files (standard WordPress Author capability)
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/8e5b1e4f-c132-42ee-b2d0-7306ab4ab615mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.