CVE-2024-8915

Published
View on NVD ↗
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

The Category Icon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Category Icon
Category Icon
<p>A WordPress plugin to easily attach an icon to a category, tag or any other taxonomy term.</p> <p>** Now supports a category, tag or any other taxonomy image field, also.</p> <p>Please note that this plugin will not automatically output the icon or the image on the frontend of our site.</p> <p>It is up to you to query and output in your theme using the provided getter functions: <code>get_term_icon_id()</code>, <code>get_term_icon_url()</code>, <code>get_term_image_id()</code>, <code>get_term_image_url()</code>.</p>
WordPress Plugin DirectoryWordPress Plugin Directory
91.3K