CVE-2024-9069: 
WordPress vulnerability analysis and mitigation

The Graphicsly WordPress plugin (versions up to 1.0.2) contains a Stored Cross-Site Scripting vulnerability via SVG File uploads. The vulnerability was discovered and disclosed on September 24, 2024, and is tracked as CVE-2024-9069. The plugin, which provides graphics functionality for various WordPress website builders (Gutenberg, Elementor, Beaver Builder, WPBakery), is affected by insufficient input sanitization and output escaping issues (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NIST, and 6.4 (Medium) according to Wordfence. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required user interaction (NVD).

The vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages through SVG file uploads. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially leading to unauthorized actions and data exposure (NVD).

The plugin has been closed as of September 23, 2024, due to security issues. Users should immediately remove the plugin from their WordPress installations as no patches are available (WordPress Plugin).