WordPress Plugin Vulnerabilities

Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
uploading-svgwebp-and-ico-files
No known fix

References

CVE
CVE-2022-34648

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Kim Jong Min aka Universe
Verified
No
WPVDB ID
3ae2ea62-6fc0-438d-be26-1822f5670d47

Timeline

Publicly Published
2022-08-11 (about 3 years ago)
Added
2022-08-24 (about 3 years ago)
Last Updated
2023-05-14 (about 3 years ago)

Other

Published
Title
Published
2025-09-22
Title
Magento 2 WordPress Integration <= 1.4.2.1 - Admin+ Stored XSS
Published
2024-12-11
Title
Events Addon for Elementor < 2.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-15
Title
Admin Management Xtended < 2.4.7 - Contributor+ Stored XSS
Published
2026-02-27
Title
UberSlider Ultra <= 2.3 - Reflected Cross-Site Scripting
Published
2025-05-16
Title
Booking Calendar < 10.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode