CVE-2024-4270: SVGMagic <= 1.1 - Stored XSS via SVG Upload

Description

The SVGMagic WordPress plugin through 1.1 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

Classification

CVE ID: CVE-2024-4270

Problem Types

CWE-79 Cross-Site Scripting (XSS)

Affected Products

Vendor: Unknown

Product: SVGMagic

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 23.61% (scored less or equal to compared to others)

EPSS Date: 2025-04-22 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-4270
https://wpscan.com/vulnerability/7a3b89cc-7a81-448a-94fc-36a7033609d5/

Timeline

2025-03-24 17:40:20 UTC
CVE

SVGMagic <= 1.1 - Stored XSS via SVG Upload