CVE-2022-2299: 
WordPress vulnerability analysis and mitigation

CVE-2022-2299 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Allow SVG Files' versions 1.1 and below. The vulnerability was discovered by Luan Pedersini and publicly disclosed on July 4, 2022. The issue affects WordPress installations with the vulnerable plugin installed (WPScan).

The vulnerability stems from improper sanitization of uploaded SVG files in the plugin. Users with author-level privileges or higher can upload malicious SVG files containing XSS payloads through the WordPress Media library. The vulnerability has been assigned a CVSS score of 4.8 (medium severity) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows attackers with author-level access to upload SVG files containing malicious JavaScript code. The XSS payload gets executed when users access the uploaded SVG file directly through the WordPress media URL structure (WPScan).

As of the last update, there is no known fix available for this vulnerability. Site administrators using the affected plugin should consider either removing the plugin or implementing additional security controls to restrict SVG file uploads (WPScan).