SVG Support < 2.5 - Author+ Stored Cross-Site Scripting
Description
The SVG Support WordPress plugin before 2.5 does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SVG Support WordPress plugin before 2.5 allows stored XSS via SVG uploads by users with author role.
Vulnerability
The SVG Support WordPress plugin before version 2.5 fails to properly sanitize SVG files added via URL, leading to stored cross-site scripting (XSS). All versions prior to 2.5 are affected.
Exploitation
An attacker with at least author role can upload a malicious SVG file containing JavaScript payload via the plugin's media upload functionality. The SVG is stored on the server and executed when a victim views the page containing the SVG.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious actions.
Mitigation
Update to version 2.5 or later. The fix was included in version 2.5 as noted in the WPScan advisory [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The SVG Support plugin does not properly sanitize SVG files imported via URL, allowing malicious JavaScript to be embedded in uploaded SVG content."
Attack vector
An attacker with Author-level privileges (or higher) can craft an SVG file containing embedded JavaScript and host it at a URL. Using the plugin's "SVG added via an URL" feature, the attacker supplies that URL, and the plugin imports the SVG without sanitizing its contents [ref_id=1]. Because the SVG is then served from the WordPress site, the malicious script executes in the context of the victim's session when they view the SVG, leading to stored Cross-Site Scripting [CWE-79].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the SVG Support plugin's handling of SVGs added via URL, prior to version 2.5 [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.5 of the SVG Support plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds sanitization or validation of SVG content imported via URL, stripping or escaping executable JavaScript before the SVG is stored and displayed. Users should update to version 2.5 or later.
Preconditions
- authAttacker must have a WordPress user role of Author or higher.
- configThe SVG Support plugin must be installed and active with a version prior to 2.5.
- inputAttacker must have access to a URL hosting a malicious SVG file.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/62b2548e-6b59-48b8-b1c2-9bd47e634982mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.