Support SVG < 1.1.0 - Stored XSS via SVG Upload

Vulnerability

The Support SVG WordPress plugin before version 1.1.0 fails to sanitize SVG file contents during upload [1]. This allows any user with at least the author role to upload SVG files containing arbitrary JavaScript. The vulnerability exists in all versions prior to 1.1.0.

Exploitation

An attacker must have an author-level account on the WordPress site [1]. They can then upload an SVG file containing malicious JavaScript code as the plugin does not sanitize SVG contents. No additional user interaction is required beyond the upload process; the stored script will execute when any page displaying the uploaded SVG is viewed [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS). The attacker's JavaScript executes in the context of any visitor's browser who views a page containing the malicious SVG. This can lead to session hijacking, defacement, or theft of sensitive information from authenticated users [1].

Mitigation

Users should update to version 1.1.0 or later, which fixes the sanitization issue [1]. There is no known workaround short of disabling the plugin until an update is applied. The vulnerability is not listed on the CISA KEV.