Headline
CVE-2022-34648: WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack
Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.
Verified
Not fixed
4.8
CVSS 3.1 score Medium severity
Monitoring Coming soon
Software
Uploading SVG, WEBP and ICO files
Vulnerable versions
<= 1.0.1
PSID
6ae7f03579ae
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
Required privilege
Requires author or higher role user authentication.
Publicly disclosed
2022-08-12
Details
Authenticated Stored Cross-Site Scripting (XSS) vulnerability via malicious SVG file upload discovered by Universe (Patchstack Alliance) in WordPress Uploading SVG, WEBP and ICO files plugin (versions <= 1.0.1).
Solution
No patched version available.
References