CVE-2023-4460: 
WordPress vulnerability analysis and mitigation

CVE-2023-4460 is a security vulnerability affecting the WordPress plugin 'Uploading SVG, WEBP and ICO files' versions 1.2.1 and below. The vulnerability was publicly disclosed on November 13, 2023, and is classified as a Stored Cross-Site Scripting (XSS) vulnerability. The affected plugin fails to properly sanitize uploaded SVG files, potentially exposing WordPress installations to security risks (WPScan).

The vulnerability has been assigned a CVSS score of 4.8 (medium severity) and is classified under CWE-79. The security flaw stems from improper sanitization of SVG file uploads, which allows users with Author-level permissions or higher to upload malicious SVG files containing XSS payloads. This vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows attackers with Author-level access to upload SVG files containing malicious JavaScript code. When these SVG files are accessed through their URLs, the embedded malicious code executes, potentially compromising the security of site visitors and administrators (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Website administrators using the affected plugin should consider disabling SVG upload functionality or implementing additional security controls to validate and sanitize SVG files before upload (WPScan).