Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WP SVG Images < 3.4 - Authenticated (author+) Stored XSS via SVG
Vulnerability Description
The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended.
CVSS Information
N/A
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
WordPress 插件跨站脚本漏洞
Vulnerability Description
WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 WordPress的WP SVG Images 存在跨站脚本漏洞,该漏洞源于在3.4之前的WP SVG Images插件没有对上传的SVG文件进行校验。攻击者可利用该漏洞这允许低权限用户(如author+)上传恶意SVG,然后通过诱导其他用户直接访问该文件来执行XSS攻击。
CVSS Information
N/A
Vulnerability Type
N/A