CVE-2022-1964: 
WordPress vulnerability analysis and mitigation

CVE-2022-1964 affects the Easy SVG Support WordPress plugin versions before 3.3.0. The vulnerability was discovered and publicly disclosed on June 1, 2022. This security issue allows users with author-level permissions or higher to upload malicious SVG files containing cross-site scripting (XSS) payloads due to insufficient sanitization of uploaded files (WPScan).

The vulnerability stems from the plugin's failure to properly sanitize SVG files during the upload process. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with author-level access to upload SVG files containing malicious JavaScript code. When these SVG files are accessed directly through their URLs, the embedded XSS payload executes in the victim's browser, potentially leading to unauthorized actions and data theft (WPScan).

The vulnerability has been patched in version 3.3.0 of the Easy SVG Support plugin. Users are strongly advised to update to this version or later to protect against this security risk (WPScan).