Stored Cross-Site Scripting Via SVG File Uploads Vulnerability
CVE-2024-9115

5.4MEDIUM

Key Information:

Vendor
Wordpress
Vendor
CVE Published:
26 September 2024

Summary

The Common Tools for Site plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by inadequate input sanitization and output escaping when handling SVG file uploads. This vulnerability allows authenticated attackers with Author-level access and above to inject malicious web scripts that execute automatically whenever a user visits the affected SVG file. Failure to address this flaw can lead to significant security risks, including the potential for data theft, unauthorized actions on behalf of users, and site defacement.

Affected Version(s)

Common Tools for Site * <= 1.0.2

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Francesco Carlucci
.