CVE-2023-6541: 
WordPress vulnerability analysis and mitigation

The Allow SVG WordPress plugin before version 1.2.0 contains a security vulnerability identified as CVE-2023-6541. The vulnerability was discovered and disclosed in December 2023, affecting WordPress installations using the Allow SVG plugin versions prior to 1.2.0. The core issue lies in the plugin's failure to properly sanitize uploaded SVG files, which affects users with author-level permissions or higher (WPScan, Wiz).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically related to insufficient sanitization of SVG file uploads. It has been assigned a CVSS score of 6.1 (medium severity) and is categorized under OWASP Top 10 A7: Cross-Site Scripting (XSS) and CWE-79. The technical nature of the vulnerability allows for the upload of SVG files containing malicious XSS payloads that can be executed when accessed directly (WPScan, Wiz).

When exploited, the vulnerability enables attackers with author-level access or higher to upload SVG files containing malicious XSS payloads. These payloads can execute in the context of other users' browsers when the SVG files are accessed directly, potentially leading to unauthorized actions and data theft (Wiz).

The vulnerability has been fixed in version 1.2.0 of the Allow SVG plugin. Users are strongly advised to update to this version or later to protect against potential XSS attacks (Wiz).

The vulnerability was initially discovered and reported by security researcher Bob Matyas, who maintains a presence on Twitter as @bobmatyas (WPScan).