CVE-2024-9850: 
WordPress vulnerability analysis and mitigation

The SVG Case Study plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-9850. The vulnerability was discovered in all versions up to and including 1.0, with the disclosure date of November 15, 2024. This security issue affects WordPress installations with the SVG Case Study plugin installed (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality. The issue has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires low attack complexity but also requires privileged access to exploit (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially leading to the compromise of user sessions and data theft (NVD).

As of November 14, 2024, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue. Users are advised to immediately remove the SVG Case Study plugin from their WordPress installations (WordPress).