Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload
Description
The Z-Downloads WordPress plugin before 1.11.7 allows admin-level users to upload SVG files with malicious JavaScript, leading to stored XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Z-Downloads WordPress plugin before 1.11.7 allows admin-level users to upload SVG files with malicious JavaScript, leading to stored XSS.
Vulnerability
The Z-Downloads WordPress plugin versions before 1.11.7 fail to properly validate uploaded file types, allowing users with administrative privileges to upload SVG files. These SVG files can contain embedded JavaScript, which is not sanitized or stripped by the plugin. This results in a stored cross-site scripting (XSS) vulnerability (CWE-79) [1].
Exploitation
An attacker must have an admin-level account on the WordPress site to upload files via the plugin. The attacker uploads an SVG file containing malicious JavaScript code. When other users (including other admins or visitors) view the uploaded SVG file, the JavaScript executes in their browser. The exact sequence: attacker logs in as admin, navigates to the upload functionality, selects an SVG file with embedded script, and submits it. The plugin stores the file without sanitization [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user who views the uploaded SVG. This can lead to session hijacking, defacement, or theft of sensitive information. The CVSS score is 3.5 (low), indicating limited impact due to the requirement of admin-level access for upload [1].
Mitigation
The vulnerability is fixed in version 1.11.7 of the Z-Downloads plugin. Users should update to this version or later. No workarounds are mentioned in the available references. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.11.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file type validation allows uploading SVG files containing arbitrary JavaScript."
Attack vector
An attacker with administrator-level access to the WordPress admin panel uploads a crafted SVG file through the Z-Downloads plugin's file upload functionality. The plugin fails to validate that uploaded files are not SVGs containing embedded JavaScript [ref_id=1]. When the SVG is later viewed or rendered in a browser, the malicious JavaScript executes in the context of the victim's session, leading to stored cross-site scripting (XSS) [CWE-79].
Affected code
The advisory does not identify specific functions or files. The vulnerability exists in the file upload handling of the Z-Downloads plugin for WordPress, versions before 1.11.7 [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.11.7 of the Z-Downloads plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds file type validation to reject SVG uploads or sanitizes SVG content to remove JavaScript. The advisory does not specify the exact code changes.
Preconditions
- authAttacker must have administrator-level access to the WordPress admin panel
- configThe Z-Downloads plugin must be installed and active with a version before 1.11.7
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/fed2cd26-7ccb-419d-b589-978410953bf4/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.