CVE-2024-12574 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the amrendesign SVG Shortcode plugin for WordPress. This vulnerability affects all versions up to and including 1.0.1. The root cause is insufficient neutralization of input during web page generation, specifically inadequate sanitization and output escaping of SVG file uploads. SVG files uploaded to the plugin can contain embedded malicious JavaScript code that is stored persistently. When any user accesses a page containing the compromised SVG shortcode, the malicious script executes in the context of the user's browser. This can lead to theft of cookies, session tokens, or other sensitive information, as well as potential manipulation of the webpage content or redirection to malicious sites. The vulnerability can be exploited remotely by unauthenticated attackers, requiring only that a victim views the affected page. The CVSS v3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and partial impact on confidentiality and integrity without affecting availability. No patches or fixes have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability is significant due to the widespread use of WordPress and the popularity of SVG Shortcode for embedding scalable vector graphics, which are commonly used for icons and images on websites.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity on affected WordPress sites. Attackers can inject persistent malicious scripts that execute in visitors' browsers, potentially stealing authentication cookies, session tokens, or other sensitive data. This can lead to account takeover, unauthorized actions on behalf of users, or further exploitation such as phishing or malware delivery. The vulnerability does not affect system availability directly but undermines trust and security of the website. Organizations with public-facing WordPress sites using the SVG Shortcode plugin are at risk of reputational damage and data breaches. The ease of exploitation by unauthenticated attackers increases the threat, especially for high-traffic sites with many users. The scope includes all websites running vulnerable versions of the plugin, which may be significant given WordPress's global market share. Without mitigation, attackers can leverage this vulnerability to conduct targeted attacks or mass exploitation campaigns once public exploit code becomes available.

To mitigate this vulnerability, organizations should immediately restrict or disable SVG file uploads via the amrendesign SVG Shortcode plugin until a patch is available. Implement strict input validation and sanitization on all SVG uploads, ensuring removal or neutralization of any embedded scripts or event handlers. Apply proper output encoding and escaping when rendering SVG content on web pages to prevent script execution. Consider using security plugins or Web Application Firewalls (WAFs) that can detect and block XSS payloads targeting SVG files. Monitor website logs for suspicious upload activity or unusual script execution patterns. Educate site administrators on the risks of allowing unauthenticated SVG uploads and enforce least privilege principles. Regularly update WordPress and all plugins to their latest versions once a security patch for this vulnerability is released. Additionally, conduct security audits and penetration testing focused on file upload functionalities to identify similar weaknesses.