CVE-2022-0595: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload WordPress plugin before version 1.3.6.3 contains a security vulnerability identified as CVE-2022-0595. The vulnerability was discovered and disclosed in March 2022, affecting the plugin's file upload functionality. The issue allows SVG files to be uploaded by default through the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting (XSS) attacks (WPScan, NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS score of 6.1 (medium severity). The security flaw exists in the AJAX-based file upload functionality, specifically in the dnd_codedropz_upload action, which fails to properly validate SVG file uploads. This vulnerability is tracked under CWE-79, which relates to improper neutralization of input during web page generation (WPScan).

The vulnerability allows attackers to upload malicious SVG files containing JavaScript code, which could lead to stored Cross-Site Scripting attacks. When these SVG files are accessed, the embedded malicious code could execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been patched in version 1.3.6.3 of the Drag and Drop Multiple File Upload WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks. The fix was implemented through a code change that can be found in the WordPress plugin repository (WordPress Plugin).