CVE-2024-5945 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WP SVG Images plugin for WordPress. This plugin allows users to upload and display SVG images on WordPress sites. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of the 'type' parameter within SVG files. Versions up to and including 4.2 fail to adequately sanitize this parameter, enabling authenticated attackers with Author-level or higher privileges—who have the ability to upload sanitized files—to bypass SVG sanitization mechanisms. By injecting arbitrary JavaScript code into the 'type' parameter, attackers can embed malicious scripts that are stored persistently and executed in the browser context of any user who accesses the infected page. This can lead to theft of session cookies, defacement, or further exploitation of the site. The attack vector requires network access (remote) and low attack complexity, with privileges required at the Author level, but no user interaction is needed once the malicious SVG is uploaded. The vulnerability affects all versions of the plugin up to 4.2, with no patch links currently available. The CVSS v3.1 score of 6.4 reflects a medium severity, with confidentiality and integrity impacts but no availability impact. No known exploits have been reported in the wild at this time.

The primary impact of CVE-2024-5945 is the compromise of confidentiality and integrity on WordPress sites using the vulnerable WP SVG Images plugin. Attackers can execute arbitrary JavaScript in the context of the affected site, potentially stealing user session tokens, performing actions on behalf of users, or delivering further malicious payloads. This can lead to account takeover, data leakage, or site defacement. Since the vulnerability requires authenticated access at the Author level or higher, the risk is elevated in environments where multiple users have such privileges or where account compromise is possible. The vulnerability does not affect availability directly but can undermine user trust and site integrity. Organizations running WordPress sites with this plugin, especially those with multiple content creators or contributors, face increased risk of internal or external attackers exploiting this flaw to escalate privileges or pivot attacks. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public.

To mitigate CVE-2024-5945, organizations should: 1) Immediately restrict Author-level and higher user permissions to trusted individuals only, minimizing the risk of malicious uploads. 2) Monitor and audit SVG file uploads for suspicious or unexpected content, especially focusing on the 'type' parameter within SVGs. 3) Disable or remove the WP SVG Images plugin if SVG support is not critical, or replace it with a plugin that properly sanitizes SVG inputs. 4) Implement Web Application Firewall (WAF) rules to detect and block malicious SVG payloads containing script injections targeting the 'type' parameter. 5) Regularly update WordPress core and plugins; watch for vendor patches addressing this vulnerability and apply them promptly once available. 6) Educate content creators and administrators about the risks of uploading untrusted SVG files and enforce strict content validation policies. 7) Consider additional security controls such as Content Security Policy (CSP) headers to limit the impact of injected scripts if exploitation occurs. These steps go beyond generic advice by focusing on user privilege management, proactive monitoring, and layered defenses tailored to the nature of this SVG-based XSS vulnerability.