CVE-2024-11847: WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG

Description

The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

Classification

CVE ID: CVE-2024-11847

Problem Types

CWE-79 Cross-Site Scripting (XSS)

Affected Products

Vendor: Unknown

Product: wp-svg-upload

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.47% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-11847
https://wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65/

Timeline

2025-03-26 07:40:19 UTC
CVE

WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG