Cross-Site Scripting Vulnerability in Inventivo's WordPress Plugin
CVE-2023-7088
What is CVE-2023-7088?
The Add SVG Support for Media Uploader plugin by Inventivo, specifically version 1.0.5, has a security flaw that permits users with author permissions to upload unvalidated SVG files. This oversight in input sanitization can lead to the execution of XSS payloads, posing a significant risk to website security. Attackers could exploit this vulnerability by uploading a specially crafted SVG file that executes malicious JavaScript within the user's browser, potentially compromising sensitive information or hijacking user sessions.
Affected Version(s)
Add SVG Support for Media Uploader | inventivo 0 <= 1.0.5
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved