CVE-2024-8964
📋 TL;DR
The Sirv WordPress plugin versions up to 7.2.9 have a stored XSS vulnerability in SVG file uploads. Authenticated attackers with Author privileges or higher can inject malicious scripts that execute when users view uploaded SVG files. This affects all WordPress sites using vulnerable Sirv plugin versions.
💻 Affected Systems
- Image Optimizer, Resizer and CDN – Sirv WordPress plugin
📦 What is this software?
Sirv by Sirv
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with compromised author accounts inject malicious scripts to steal user session cookies or perform phishing attacks against site visitors.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated script execution without data exfiltration.
🎯 Exploit Status
Exploitation requires authenticated access with at least Author privileges. SVG file upload with embedded JavaScript is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3162079/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Image Optimizer, Resizer and CDN – Sirv'. 4. Click 'Update Now' if available. 5. Alternatively, download version 7.3.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxPrevent SVG file uploads at web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Restrict user roles
allLimit Author+ roles to trusted users only
🧯 If You Can't Patch
- Temporarily disable the Sirv plugin until patching is possible
- Implement Content Security Policy headers to restrict script execution from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Sirv plugin version. If version is 7.2.9 or lower, system is vulnerable.Check Version:
wp plugin list --name=sirv --field=versionVerify Fix Applied:
Confirm Sirv plugin version is 7.3.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by Author+ users
- Multiple failed SVG upload attempts
- Admin user logins from unusual locations following SVG uploads
Network Indicators:
- Outbound connections to suspicious domains after SVG file access
- Unusual JavaScript loading from SVG file paths
SIEM Query:
source="wordpress" AND (event="plugin_update" AND plugin_name="sirv" AND version<="7.2.9") OR (event="file_upload" AND file_extension="svg" AND user_role IN ("author","editor","administrator"))