CVE-2024-9544: 
WordPress vulnerability analysis and mitigation

The MapSVG plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9544) affecting versions up to and including 8.6.4. The vulnerability was discovered by Mo'men Saad from Almosafer and was publicly disclosed on May 21, 2025. This security issue specifically affects the plugin's SVG file upload functionality, which lacks proper input sanitization and output escaping (Wiz Database, NVD Database).

The vulnerability is classified with a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical issue stems from insufficient input sanitization and output escaping in the SVG file upload functionality. The vulnerability is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD Database).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised SVG file, potentially leading to client-side attacks and data theft (NVD Database).

Website administrators running affected versions of the MapSVG plugin (8.6.4 and below) should update to the latest version as soon as it becomes available. In the meantime, it's recommended to restrict SVG upload capabilities to trusted administrators only (Wordfence Intel).