Stored Cross-Site Scripting via SVG File uploads in Mime Config plugin
CVE-2024-10017

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Pjw Mime Config
Vendor: CVE Published:; 16 November 2024

Summary

The PJW Mime Config plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through SVG file uploads. This issue arises from inadequate input sanitization and output escaping processes present in the plugin. Authenticated users with Author-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages, compromising user interactions whenever the SVG file is accessed. This security risk underscores the importance of robust input handling mechanisms within WordPress plugins to protect against malicious script injections.

Affected Version(s)

PJW Mime Config * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/pjw-mime-config

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 16, 2024
Vulnerability Reserved
Oct 16, 2024

Credit

Francesco Carlucci