WordPress Plugin Vulnerabilities

SVG Support 2.5-2.5.1 - Author+ Stored XSS

Description

The plugin does not have santization enabled and does not restrict SVG upload to administrator by default, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks by uploading malicious SVG

Affects Plugins

Plugin icon
svg-support
Fixed in 2.5.2

References

CVE
CVE-2022-4022

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
9e42c04a-0b77-4c88-9d16-87f99ca72a40

Timeline

Publicly Published
2022-11-16 (about 3 years ago)
Added
2022-11-16 (about 3 years ago)
Last Updated
2022-11-16 (about 3 years ago)

Other

Published
Title
Published
2022-11-21
Title
Car Dealer < 3.05 - Subscriber+ Arbitrary Plugin Installation
Published
2023-11-16
Title
Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints
Published
2025-11-07
Title
Flexible Refund and Return Order for WooCommerce < 1.0.43 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update
Published
2023-08-14
Title
Media from FTP < 11.17 - Author+ Arbitrary File Access
Published
2025-03-03
Title
Ultimate WordPress Auction Plugin < 4.3.0 - Contributor+ Arbitrary Post Deletion