WP Toolkit detects security issues

Indeed, WP Scan also detects the same vulnerability:

https://wpscan.com/vulnerability/91898762-aa7d-4fbc-a016-3de48901e5de

And Wordfence as well, of course:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/enable-svg-webp-ico-upload/enable-svg-webp-ico-upload-103-authenticated-author-stored-cross-site-scripting-via-svg

At the time of writing, a full disclosure about the vulnerability was not yet publicly shown on the assigned vulnerability numbered CVE-2023-2143, but it will be soon. Allegedly, the author of this plugin was contacted back in April 2023 to fix the vulnerability.

These days, all SVGs ought to be properly sanitized before allowing them to be user-uploaded (as the SafeSVG plugin already does), not merely ‘enabling’ the Media Library to upload SVG files…

• This reply was modified 1 year, 4 months ago by Gwyneth Llewelyn. Reason: Added a few more tags