CVE-2022-1562: 
WordPress vulnerability analysis and mitigation

The Enable SVG WordPress plugin before version 1.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1562. The vulnerability was discovered on May 3, 2022, and affects users with roles as low as Author. The core issue stems from the plugin's failure to properly sanitize uploaded SVG files (WPScan Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. It is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The technical root cause is the lack of proper sanitization of SVG files during the upload process, which allows for the injection of malicious XSS payloads (NVD).

When exploited, this vulnerability allows authenticated users with Author privileges or higher to upload SVG files containing malicious XSS payloads. These payloads are executed when the uploaded SVG file is accessed directly through the WordPress media library, potentially affecting site administrators and other users who view the malicious file (WPScan Advisory).

The vulnerability has been fixed in version 1.4.0 of the Enable SVG plugin. Users are strongly advised to update to this version or later to mitigate the risk. If immediate updating is not possible, consider restricting SVG upload capabilities to trusted administrators only (WPScan Advisory).