CVE-2022-1091: 
PHP vulnerability analysis and mitigation

CVE-2022-1091 is a security vulnerability discovered in the Safe SVG WordPress plugin versions before 1.9.10. The vulnerability was disclosed on March 25, 2022. The issue affects the plugin's sanitization mechanism for SVG file uploads, which is designed to prevent malicious file uploads (WPScan).

The vulnerability exists in the sanitization step of the Safe SVG plugin, where the content-type verification can be bypassed by spoofing the content-type in the POST request during file upload. The plugin relies on the Content-Type from the original form-data request instead of properly validating the actual file type, allowing attackers to circumvent the security checks (GitHub PR).

If exploited, this vulnerability allows attackers to bypass the SVG sanitization process, potentially enabling various attacks that the plugin was designed to prevent. The primary risk is Cross-Site Scripting (XSS), but depending on how the uploaded SVG files are used, other XML-based attacks might also be possible (WPScan).

The vulnerability has been fixed in Safe SVG version 1.9.10. The fix implements better file type checking by utilizing WordPress's core wpcheckfiletypeandext function instead of relying on the Content-Type from the request. Users are advised to update to version 1.9.10 or later to protect against this vulnerability (GitHub PR).