CVE-2024-11847: wp-svg-upload WordPress plugin vulnerable to Stored Cross-site Scripting

March 26, 2025 (updated April 1, 2025)

The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

References

github.com/advisories/GHSA-v2rr-fhv8-mx74
github.com/digimix/wp-svg-upload
nvd.nist.gov/vuln/detail/CVE-2024-11847
wpscan.com/vulnerability/f57ecff2-0cff-40c7-b6e4-5b162b847d65

Code Behaviors & Features

Detect and mitigate CVE-2024-11847 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →