CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8378 – Safe SVG < 2.2.6 - Author+ SVG Sanitisation Bypass
https://notcve.org/view.php?id=CVE-2024-8378
17 Oct 2024 — The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data. The Safe SVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-le... • https://wpscan.com/vulnerability/17be4bf2-486d-43ab-b87a-2117c8d77ca8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1091 – Safe SVG < 1.9.10 - SVG Sanitisation Bypass
https://notcve.org/view.php?id=CVE-2022-1091
25 Mar 2022 — The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks). El paso de saneo del plugin Safe SVG de WordPress versiones anteriores a 1.9.10, puede ser omitido al suplantar el tipo de contenido en la petic... • https://github.com/10up/safe-svg/pull/28 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18855 – Safe SVG <= 1.9.4 - Denial of Service
https://notcve.org/view.php?id=CVE-2019-18855
05 Nov 2019 — A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes. Se presenta una vulnerabilidad de Denegación de Servicio en el plugin safe-svg (también se conoce como Safe SVG) versiones hasta 1.9.4 para WordPress, relacionado con elementos o atributos potencialmente no deseados. • https://fortiguard.com/zeroday/FG-VD-19-113 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18854 – Safe SVG <= 1.9.4 - Denial of Service
https://notcve.org/view.php?id=CVE-2019-18854
05 Nov 2019 — A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring. Se presenta una vulnerabilidad de Denegación De Servicio en el plugin safe-svg (también se conoce como Safe SVG) versiones hasta 1.9.4 para WordPress, relacionado con la recursividad ilimitada para una subcadena ''. • https://fortiguard.com/zeroday/FG-VD-19-113 • CWE-400: Uncontrolled Resource Consumption CWE-674: Uncontrolled Recursion •