The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
1. Upload a malicious SVG: 2. Add to post and view SVG to see XSS.
CPE | Name | Operator | Version |
---|---|---|---|
enable-svg-uploads | eq | * |