WordPress Plugin Vulnerabilities

WP SVG Icons <= 3.2.3 - Admin+ Remote Code Execution (RCE)

Description

The plugin does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.

Proof of Concept

Affects Plugins

Plugin icon
svg-vector-icon-plugin
No known fix

References

CVE
CVE-2022-0863

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
qerogram
Submitter
qerogram
Submitter website
https://github.com/qerogram
Verified
Yes
WPVDB ID
a30212a0-c910-4657-aee1-4a2d72c77983

Timeline

Publicly Published
2022-05-18 (about 3 years ago)
Added
2022-05-18 (about 3 years ago)
Last Updated
2023-02-07 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Zingiri Web Shop <= 2.2.3 - ajax_file_cut.php selectedDoc Parameter Remote PHP Code
Published
2022-02-08
Title
PHP Everywhere < 3.0.0 - Subscriber+ RCE via Shortcode
Published
2025-06-23
Title
Content No Cache < 0.1.5 - Unauthenticated Arbitrary Function Call
Published
2024-11-01
Title
Media Library Assistant < 3.20 - Authenticated (Administrator+) Remote Code Execution
Published
2024-02-13
Title
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution