Stored Cross-Site Scripting Via SVG File Uploads Vulnerability
CVE-2024-9115

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Common Tools For Site
Vendor: CVE Published:; 26 September 2024

Summary

The Common Tools for Site plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by inadequate input sanitization and output escaping when handling SVG file uploads. This vulnerability allows authenticated attackers with Author-level access and above to inject malicious web scripts that execute automatically whenever a user visits the affected SVG file. Failure to address this flaw can lead to significant security risks, including the potential for data theft, unauthorized actions on behalf of users, and site defacement.

Affected Version(s)

Common Tools for Site * <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/common-tools-for-site/#deve...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 26, 2024
Vulnerability Reserved
Sep 23, 2024

Credit

Francesco Carlucci