CVE-2024-8673: 
WordPress vulnerability analysis and mitigation

The Z-Downloads WordPress plugin before version 1.11.7 contains a file upload validation vulnerability identified as CVE-2024-8673. The vulnerability was publicly disclosed on August 6, 2024, and affects the file upload functionality of the plugin, specifically related to improper validation of uploaded files (WPScan).

The vulnerability stems from improper validation of uploaded files, specifically allowing SVG files containing malicious JavaScript to be uploaded to the system. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified as a Cross-Site Scripting (XSS) vulnerability under CWE-79. The vulnerability can be exploited by uploading an SVG file containing malicious JavaScript code through the 'Z-Downloads > Upload a File' functionality (WPScan).

When exploited, this vulnerability allows attackers to upload SVG files containing malicious JavaScript code, which can lead to stored Cross-Site Scripting (XSS) attacks. The impact is limited to authenticated users with admin or higher privileges (WPScan, Wiz).

The vulnerability has been patched in version 1.11.7 of the Z-Downloads WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan, Wiz).