Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
1. Create a SVG file with the malicious payload within it; Example SVG file: https://github.com/codesecure-org/xss-svg/blob/main/1.svg?short_path=97b023c 2. As a user with the Author role, go to the “Media” page and upload the SVG file 3. Access the uploaded file directly 4. You will see the XSS