CVE-2023-6541: 
WordPress vulnerability analysis and mitigation

The Allow SVG WordPress plugin before version 1.2.0 contains a security vulnerability that affects the file upload functionality. The vulnerability was discovered and disclosed in December 2023, identified as CVE-2023-6541. The plugin fails to properly sanitize uploaded SVG files, affecting WordPress installations using the Allow SVG plugin versions prior to 1.2.0 (WPScan, MITRE).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically related to insufficient sanitization of SVG file uploads. The vulnerability has been assigned a CVSS score of 4.8 (medium severity) and is categorized under OWASP Top 10 A7: Cross-Site Scripting (XSS) and CWE-79. Users with author-level permissions or higher can exploit this vulnerability by uploading malicious SVG files containing XSS payloads (WPScan).

The vulnerability allows attackers with author-level access or higher to upload SVG files containing malicious XSS payloads. When these SVG files are accessed directly, the embedded XSS payload can execute in the context of other users' browsers, potentially leading to unauthorized actions and data theft (WPScan).

The vulnerability has been fixed in version 1.2.0 of the Allow SVG plugin. Users are strongly advised to update to this version or later to protect against potential XSS attacks (WPScan).

The vulnerability was initially discovered and reported by security researcher Bob Matyas, who maintains a presence on Twitter as @bobmatyas (WPScan).