WordPress Plugin Vulnerabilities

WP SVG Icons <= 3.2.2 - Cross-Site Request Forgery (CSRF) leading to RCE

Description

The WP SVG Icons WordPress plugin was affected by a Cross-Site Request Forgery (CSRF) leading to RCE security vulnerability.

Affects Plugins

Plugin icon
svg-vector-icon-plugin
Fixed in 3.2.3

References

CVE
CVE-2019-14216
URL
https://zeroauth.ltd/blog/2019/08/09/cve-2019-14216-svg-vector-icon-plugin-wordpress-plugin-vulnerable-to-csrf-and-arbitrary-file-upload-leading-to-remote-code-execution/
URL
https://plugins.trac.wordpress.org/changeset/2126096/svg-vector-icon-plugin

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
zeroauth
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
f07500fd-9535-48e8-be7f-6c044979d8aa

Timeline

Publicly Published
2019-08-09 (about 6 years ago)
Added
2019-08-15 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-06-27
Title
Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 - Cross-Site Request Forgery
Published
2022-09-14
Title
Multiple Plugins from Viszt Peter - Multiple CSRF
Published
2025-06-13
Title
AI Image Lab – Free AI Image Generator <= 1.0.6 - Cross-Site Request Forgery to API Key Update
Published
2025-05-16
Title
Element Pack Pro < 8.0.0 - Cross-Site Request Forgery
Published
2025-03-04
Title
IP Based Login < 2.4.1 - Log Deletion via CSRF