Description The plugin does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues
1. Upload an H5P archive containing a malicious SVG file w/an XSS
2. Example: https://drive.google.com/file/d/1DNZmv-at_HPtDeYr8ExjRrekHSUOaGzh/view?usp=sharing
3. Once the upload is finished, users will be able to access the malicious SVG directly, triggering an XSS