Vulnerability Details CVE-2024-5945
The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have permissions to upload sanitized files, to bypass SVG sanitization and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 34.0%
CVSS Severity
CVSS v3 Score 6.4
References
- https://plugins.trac.wordpress.org/browser/wp-svg-images/trunk/wp-svg-images.php#L111
- https://plugins.trac.wordpress.org/browser/wp-svg-images/trunk/wp-svg-images.php#L313
- https://plugins.trac.wordpress.org/changeset/3105276/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/389d96e9-1fad-49a6-89b6-8f7f108d8117?source=cve
- https://plugins.trac.wordpress.org/browser/wp-svg-images/trunk/wp-svg-images.php#L111
- https://plugins.trac.wordpress.org/browser/wp-svg-images/trunk/wp-svg-images.php#L313
- https://plugins.trac.wordpress.org/changeset/3105276/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/389d96e9-1fad-49a6-89b6-8f7f108d8117?source=cve
Products affected by CVE-2024-5945
-
cpe:2.3:a:kubiq:wp_svg_images:-
-
cpe:2.3:a:kubiq:wp_svg_images:1.0
-
cpe:2.3:a:kubiq:wp_svg_images:1.1
-
cpe:2.3:a:kubiq:wp_svg_images:1.2
-
cpe:2.3:a:kubiq:wp_svg_images:1.3
-
cpe:2.3:a:kubiq:wp_svg_images:1.4
-
cpe:2.3:a:kubiq:wp_svg_images:2.0
-
cpe:2.3:a:kubiq:wp_svg_images:2.1
-
cpe:2.3:a:kubiq:wp_svg_images:2.2
-
cpe:2.3:a:kubiq:wp_svg_images:2.3
-
cpe:2.3:a:kubiq:wp_svg_images:2.4
-
cpe:2.3:a:kubiq:wp_svg_images:2.5
-
cpe:2.3:a:kubiq:wp_svg_images:2.6
-
cpe:2.3:a:kubiq:wp_svg_images:2.7
-
cpe:2.3:a:kubiq:wp_svg_images:2.8
-
cpe:2.3:a:kubiq:wp_svg_images:2.9
-
cpe:2.3:a:kubiq:wp_svg_images:3.0
-
cpe:2.3:a:kubiq:wp_svg_images:3.1
-
cpe:2.3:a:kubiq:wp_svg_images:3.2
-
cpe:2.3:a:kubiq:wp_svg_images:3.3
-
cpe:2.3:a:kubiq:wp_svg_images:3.4
-
cpe:2.3:a:kubiq:wp_svg_images:3.5
-
cpe:2.3:a:kubiq:wp_svg_images:3.6
-
cpe:2.3:a:kubiq:wp_svg_images:3.7
-
cpe:2.3:a:kubiq:wp_svg_images:4.0
-
cpe:2.3:a:kubiq:wp_svg_images:4.1
-
cpe:2.3:a:kubiq:wp_svg_images:4.2