CVE-2024-9304

Vulnerability

Overview

The LocateAndFilter plugin for WordPress, in all versions up to and including 1.6.14, contains a Stored Cross-Site Scripting (XSS) vulnerability in its handling of SVG file uploads. The root cause is insufficient input sanitization and output escaping during the upload and rendering of SVG files. This flaw allows authenticated attackers to upload malicious SVG files containing arbitrary JavaScript or HTML that persists on the server [1].

Exploitation

Conditions

An attacker must have at least Author-level access to the WordPress site, enabling them to upload media files. No further privileges or unusual network position is required; the attacker simply uploads a crafted SVG file via the plugin's media handling. When any user (including site visitors or administrators) accesses the uploaded SVG file directly, the embedded script executes within the context of the victim's browser [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts that execute in the browsers of users viewing the SVG file. This can result in session hijacking, data theft, or defacement, depending on the injected payload. Because the script runs in the context of the vulnerable site, it can access cookies, page content, and perform actions on behalf of the victim user.

Mitigation

The vulnerability affects all versions up to and including 1.6.14. Site owners should update to a patched version if available; as of the publication date, users are advised to verify the plugin's changelog and upgrade accordingly. In the absence of an immediate patch, restricting SVG upload capabilities or applying output escaping filters may reduce risk.