Vulnerabilites related to Unknown - wp-svg-upload
cve-2024-11847
Vulnerability from cvelistv5
Published
2025-03-26 06:00
Modified
2025-03-26 19:02
Severity ?
EPSS score ?
Summary
The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | wp-svg-upload |
Version: 0 ≤ 1.0.0 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-11847", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-26T19:02:28.728313Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-26T19:02:33.515Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "wp-svg-upload", vendor: "Unknown", versions: [ { lessThanOrEqual: "1.0.0", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Pierre Rudloff", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-79 Cross-Site Scripting (XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-26T06:00:02.270Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65/", }, ], source: { discovery: "EXTERNAL", }, title: "WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2024-11847", datePublished: "2025-03-26T06:00:02.270Z", dateReserved: "2024-11-26T20:52:59.518Z", dateUpdated: "2025-03-26T19:02:33.515Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }