CVE-2024-9642
Description
The Editor Custom Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Editor Custom Color Palette plugin for WordPress allows authenticated attackers with Author-level access to inject arbitrary scripts via SVG file uploads.
The Editor Custom Color Palette plugin for WordPress, versions up to and including 3.3.7, contains a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping when handling SVG file uploads. This allows malicious SVG files to be uploaded and stored on the server.
An attacker must have at least Author-level access to the WordPress site to exploit this vulnerability. They can upload a crafted SVG file containing JavaScript code. When any user accesses the SVG file, the script executes in the context of the victim's browser.
Successful exploitation enables the attacker to inject arbitrary web scripts, potentially leading to session hijacking, defacement, or theft of sensitive information. The impact is limited to users who view the uploaded SVG file.
As of the publication date, no patch has been released; users are advised to restrict file upload permissions or disable SVG uploads if possible. The plugin's changelog [1] does not indicate a fix for this issue.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.3.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/editor-custom-color-palette/tags/3.3.6/asset/eccp-custom-back-office.phpnvd
- plugins.trac.wordpress.org/browser/editor-custom-color-palette/tags/3.3.8/asset/eccp-custom-back-office.phpnvd
- plugins.trac.wordpress.org/changeset/3177312/nvd
- wordpress.org/plugins/editor-custom-color-palette/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9e7f858c-945c-4d12-a2a6-113449ad890anvd
News mentions
0No linked articles in our index yet.