CVE-2024-11847
📋 TL;DR
The wp-svg-upload WordPress plugin through version 1.0.0 fails to sanitize SVG file contents, allowing users with at least author privileges to upload malicious SVG files containing JavaScript. This enables stored cross-site scripting (XSS) attacks where malicious code executes when other users view the SVG. WordPress sites using this vulnerable plugin are affected.
💻 Affected Systems
- wp-svg-upload WordPress plugin
📦 What is this software?
Wp Svg Upload by Wp Svg Upload Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker with author privileges could inject persistent malicious scripts that execute in administrators' browsers, potentially leading to site takeover, credential theft, or malware distribution to visitors.
Likely Case
Malicious authors inject JavaScript that steals session cookies or redirects users to phishing sites when they view compromised SVG content.
If Mitigated
With proper user role management and content security policies, impact is limited to defacement or minor data leakage from users viewing malicious SVGs.
🎯 Exploit Status
Exploitation requires author privileges; SVG XSS techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65/
Restart Required: No
Instructions:
1. Remove wp-svg-upload plugin completely. 2. Delete all uploaded SVG files from the site. 3. Consider alternative SVG handling plugins with proper security controls.
🔧 Temporary Workarounds
Disable plugin
linuxDeactivate and delete the vulnerable plugin to prevent exploitation.
wp plugin deactivate wp-svg-upload
wp plugin delete wp-svg-upload
Restrict SVG uploads
allUse .htaccess or web server configuration to block SVG file uploads.
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove author privileges from untrusted users
- Implement Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for wp-svg-upload version 1.0.0 or earlier.Check Version:
wp plugin get wp-svg-upload --field=versionVerify Fix Applied:
Confirm plugin is removed from plugins directory and no longer appears in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by author-level users
- Multiple failed SVG upload attempts
Network Indicators:
- HTTP POST requests to /wp-content/uploads/ with SVG files containing script tags
SIEM Query:
source="wordpress" AND (url="*wp-content/uploads/*.svg" OR user_agent="*wp-svg-upload*")