CVE-2024-9111: 
WordPress vulnerability analysis and mitigation

The Product Designer plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9111) that affects all versions up to and including 1.0.35. The vulnerability was disclosed on November 21, 2024, and impacts the SVG file upload functionality in the plugin (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality. This security flaw has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-site Scripting) (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with Author-level privileges or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file (NVD).

The vulnerability has been addressed in version 1.0.37 of the Product Designer plugin, released on December 12, 2024, which completely removed the SVG upload feature. Users are advised to update to this latest version immediately (WordPress Plugin).