Stored Cross-Site Scripting Via SVG File Uploads Vulnerability
CVE-2024-9115
5.4MEDIUM
Summary
The Common Tools for Site plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by inadequate input sanitization and output escaping when handling SVG file uploads. This vulnerability allows authenticated attackers with Author-level access and above to inject malicious web scripts that execute automatically whenever a user visits the affected SVG file. Failure to address this flaw can lead to significant security risks, including the potential for data theft, unauthorized actions on behalf of users, and site defacement.
Affected Version(s)
Common Tools for Site * <= 1.0.2
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Francesco Carlucci