Moderate severityNVD Advisory· Published Mar 26, 2025· Updated Mar 26, 2025

WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG

CVE-2024-11847

Description

The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
digimix/wp-svg-uploadPackagist	<= 1.0.0	—

Affected products

WordPress/Wp Svg Uploadcpe-rescue2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)
ghsa-coords
pkg:composer/digimix/wp-svg-upload
Range: <= 1.0.0

Patches

Vulnerability mechanics

References

wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65/mitreexploitvdb-entrytechnical-description
github.com/advisories/GHSA-v2rr-fhv8-mx74ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-11847ghsaADVISORY
wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000