CVE-2024-8378: 
WordPress vulnerability analysis and mitigation

The Safe SVG WordPress plugin before version 2.2.6 contains a security vulnerability related to SVG file sanitization. The vulnerability was discovered on October 17, 2024, and was assigned CVE-2024-8378. The issue affects the plugin's sanitization mechanism, which only processes files uploaded through wphandleupload but fails to sanitize files uploaded via wphandlesideload (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS score of 4.8 (medium). The attack vector requires network access (AV:N) with low attack complexity (AC:L), high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD).

The vulnerability allows authenticated users with Author-level access or higher to bypass the SVG sanitization mechanism. This could potentially lead to the upload of malicious SVG files containing executable scripts, which could be triggered when users access the affected pages (WPScan).

The vulnerability has been fixed in Safe SVG version 2.2.6. Users are advised to update to this version or later to mitigate the security risk (WPScan).