CVE-2024-6849 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Preloader Plus – WordPress Loading Screen Plugin developed by maxsdesign. This vulnerability affects all plugin versions up to and including 2.2.1. The root cause is insufficient sanitization and escaping of SVG file uploads, allowing authenticated users with Author-level permissions or higher to embed arbitrary JavaScript code within SVG files. When these SVG files are accessed by any user, the embedded scripts execute in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The attack vector is network-based, requiring the attacker to be authenticated with at least Author privileges, which is a moderately high privilege level in WordPress. No user interaction beyond viewing the malicious SVG is required, and the vulnerability impacts confidentiality and integrity but not availability. The CVSS 3.1 score of 6.4 reflects a medium severity due to the ease of exploitation within an authenticated context and the potential for cross-site scripting attacks that can compromise user data and site integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. This flaw highlights the importance of rigorous input validation and output encoding, especially for file uploads that can contain executable content like SVGs.

This vulnerability can have significant impacts on organizations using the affected WordPress plugin. Attackers with Author-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed with the victim’s privileges. This can undermine user trust, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. Since WordPress powers a large portion of websites globally, including many business, government, and e-commerce sites, exploitation could disrupt operations and damage reputations. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially on sites with multiple contributors or compromised accounts. The vulnerability does not affect availability directly but can indirectly cause service disruptions if exploited for broader attacks. Organizations failing to address this issue may face compliance risks and increased exposure to targeted attacks.

Organizations should immediately review user roles and permissions to restrict Author-level or higher access to trusted users only. Implement strict monitoring and auditing of file uploads, especially SVG files, to detect and block suspicious content. Employ Web Application Firewalls (WAFs) with rules designed to detect and prevent XSS payloads in SVG uploads. Until an official patch is released, consider disabling SVG uploads or the Preloader Plus plugin if feasible. Apply content security policies (CSP) to limit the execution of inline scripts and reduce the impact of XSS attacks. Regularly update WordPress core and all plugins to their latest versions once patches become available. Conduct security awareness training for site administrators and contributors about the risks of uploading untrusted files. Use security plugins that scan for malicious code and anomalous behavior. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.