WordPress Plugin Vulnerabilities

Enable SVG, WebP & ICO Upload < 1.0.7 - Author+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameter, which could allow users with a role as low as author to perform stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
enable-svg-webp-ico-upload
Fixed in 1.0.7

References

CVE
CVE-2022-36343
URL
https://patchstack.com/database/vulnerability/enable-svg-webp-ico-upload/wordpress-enable-svg-webp-ico-upload-plugin-1-0-1-authenticated-stored-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Kim Jong Min aka Universe
Verified
No
WPVDB ID
b673688b-83dd-4525-b844-8b2044f664e3

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-01 (about 3 years ago)
Last Updated
2024-11-29 (about 1 year ago)

Other

Published
Title
Published
2024-02-05
Title
Shariff Wrapper < 4.6.10 - Admin+ Stored XSS
Published
2024-10-24
Title
YITH WooCommerce Product Add-Ons < 4.14.2 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
Shortcode Collection <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-05
Title
Gutenverse < 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Fun Fact Blocks
Published
2025-03-25
Title
Quick Interest Slider <= 3.1.5 - Contributor+ Stored XSS