CVE-2024-10269: 
WordPress vulnerability analysis and mitigation

The Easy SVG Support plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10269) that affects all versions up to and including 3.7. The vulnerability was discovered and disclosed in November 2024, impacting the plugin's SVG file upload functionality via REST API (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality via REST API. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (NVD).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file (NVD).

The vulnerability has been patched in version 3.8 of the Easy SVG Support plugin, released on November 4th, 2024. Users are strongly advised to update to this latest version which includes security fixes for the image uploader (WordPress Plugin).