CVE-2024-11098

The SVG Block plugin for WordPress, up to version 1.1.24, contains a stored cross-site scripting (XSS) vulnerability in the REST API SVG file upload functionality. The plugin claims to automatically sanitize SVG markup [1], but the input sanitization and output escaping are insufficient, allowing malicious SVG content to persist.

An authenticated attacker with Administrator-level access can upload a crafted SVG file through the REST API. Because the SVG is stored on the server and later served to users without proper escaping, the injected script executes in the browser of any user who views the SVG file. This attack does not require additional privileges beyond admin access.

If exploited, the attacker can inject arbitrary web scripts that execute in the context of the victim's browser, potentially leading to session hijacking, defacement, or further compromise of the WordPress site. The vulnerability affects all versions of the plugin up to and including 1.1.24.

As of the publication date, no patched version has been released. Users are advised to restrict admin access or remove the plugin until a fix is available.