vulnerability

WordPress Plugin: wp-svg-images: CVE-2021-24386: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	Jun 14, 2021	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

Jun 14, 2021

Added

May 15, 2025

Modified

May 15, 2025

Description

The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended.

Solution

wp-svg-images-plugin-cve-2021-24386

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24386
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/b72a26dd-0d20-462e-bb71-ed83eae6766e?source=api-prod
CVE-2021-24386
https://attackerkb.com/topics/CVE-2021-24386

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today