CVE-2024-9708

Vulnerability

The Easy SVG Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.1. The plugin fails to properly sanitize SVG file uploads and escape output, allowing malicious SVG files to contain arbitrary JavaScript. This is due to insufficient input sanitization and output escaping [1].

Exploitation

An authenticated attacker with Author-level access or above can upload a crafted SVG file containing embedded scripts. When other users, including administrators, view or access the uploaded SVG file (e.g., via the media library or direct URL), the injected script executes in their browser. No additional privileges are required beyond the ability to upload media [1].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the website. The script executes in the context of the victim's browser, potentially compromising sensitive data or performing actions on behalf of the victim [1].

Mitigation

The vulnerability is addressed in version 1.2 of the plugin (scheduled for September 2025). Users are advised to update to the latest version once available or disable the plugin if SVG upload functionality is not required. As of publication, no workaround other than disabling the plugin is known [1].