CVE-2023-7086: 
WordPress vulnerability analysis and mitigation

The SVG Uploads Support WordPress plugin through version 2.1.1 contains a security vulnerability that affects the file upload functionality. The vulnerability was discovered by Bob Matyas and was publicly disclosed on January 23, 2024. The issue affects WordPress installations using the affected versions of the plugin (WPScan).

The vulnerability stems from insufficient sanitization of uploaded SVG files in the plugin. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (NVD).

The vulnerability allows users with Author-level privileges or higher to upload malicious SVG files containing XSS (Cross-Site Scripting) payloads. When these SVG files are accessed directly, the embedded malicious code can execute in users' browsers, potentially leading to unauthorized actions or data theft (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the SVG Uploads Support plugin should consider disabling SVG upload functionality or implementing additional security controls to validate and sanitize SVG files before allowing them to be uploaded (Wiz).