CVE-2024-9544: 
WordPress vulnerability analysis and mitigation

The MapSVG plugin for WordPress (versions up to 8.6.4) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2024-9544. The vulnerability was discovered by Mo'men Saad from Almosafer and was publicly disclosed on May 21, 2025. This security issue affects the plugin's SVG file upload functionality, which lacks proper input sanitization and output escaping (Wordfence Intel).

The vulnerability is classified with a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical issue stems from insufficient input sanitization and output escaping in the SVG file upload functionality. The vulnerability is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD Database).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised SVG file, potentially leading to client-side attacks and data theft (NVD Database).

Website administrators running affected versions of the MapSVG plugin (8.6.4 and below) should update to the latest version as soon as it becomes available. In the meantime, it's recommended to restrict SVG upload capabilities to trusted administrators only (Wordfence Intel).