CVE-2024-11847 – digimix/wp-svg-upload

Package

Manager: composer
Name: digimix/wp-svg-upload
Vulnerable Version: >=0 <=1.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00037 pctl0.09716

Details

wp-svg-upload WordPress plugin vulnerable to Stored Cross-site Scripting The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

Metadata

Created: 2025-03-26T06:31:37Z
Modified: 2025-04-01T20:59:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-v2rr-fhv8-mx74/GHSA-v2rr-fhv8-mx74.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-v2rr-fhv8-mx74
Finding: F425
Auto approve: 1