XT Floating Cart for WooCommerce <= 2.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

An authenticated attacker with at least Author-level access uploads a crafted SVG file containing embedded JavaScript (e.g., via `<script>` tags or event handlers) through the plugin's media upload functionality. The plugin's insufficient input sanitization and output escaping [ref_id=1] allow the SVG to be stored on the server. When any user (including administrators) views the uploaded SVG file, the injected script executes in their browser, leading to stored cross-site scripting.

The vulnerability resides in the XT Floating Cart for WooCommerce plugin's customizer component, specifically in the file `xt-framework/includes/customizer/class-customizer.php` around line 1012. The plugin fails to properly sanitize SVG file uploads and escape output, allowing authenticated attackers with Author-level access or higher to upload malicious SVG files containing arbitrary JavaScript.

The advisory does not include a published patch diff, but the recommended fix is to add proper input sanitization and output escaping for SVG file uploads. Specifically, the plugin should validate SVG files by stripping executable content (e.g., `<script>` tags, event handler attributes) and ensure that when SVG files are served, the Content-Type header is set correctly and any user-supplied content is escaped before rendering. Without these changes, an attacker can inject arbitrary web scripts that execute in the context of any user viewing the uploaded SVG.