CVE-2024-9064 is a stored cross-site scripting (XSS) vulnerability identified in the Elementor Inline SVG plugin for WordPress, maintained by namogo. The flaw exists in all versions up to and including 1.2.0 due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of SVG file uploads. Authenticated users with Author-level access or higher can upload crafted SVG files containing malicious JavaScript payloads. When these SVG files are rendered on pages or posts, the embedded scripts execute in the context of the victim's browser, potentially allowing session hijacking, privilege escalation, or defacement. The vulnerability leverages CWE-79, a common web security weakness involving cross-site scripting. The attack vector is remote over the network, with low complexity, requiring privileges but no user interaction beyond viewing the infected SVG. The vulnerability affects the confidentiality and integrity of the affected WordPress sites but does not impact availability. The CVSS v3.1 score is 6.4, indicating medium severity. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the Elementor plugin ecosystem. The vulnerability underscores the importance of proper input validation and output encoding when handling user-uploaded SVG content, which can embed scripts unlike other image formats. The lack of a patch link suggests that users should monitor vendor announcements for updates or apply manual mitigations.

The primary impact of CVE-2024-9064 is the potential for attackers with Author-level access to inject persistent malicious scripts into WordPress sites using the Elementor Inline SVG plugin. This can lead to session hijacking, theft of sensitive user information, unauthorized actions performed on behalf of users, and defacement of web content. Since the scripts execute in the context of any user viewing the infected SVG, including administrators, the integrity and confidentiality of the site and its users are at risk. Although availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on WordPress for their web presence, especially those allowing multiple authors or contributors, face increased risk. The vulnerability could be exploited to distribute malware or conduct phishing attacks via compromised sites. Given the network attack vector and low complexity, exploitation is feasible in many environments, particularly if proper access controls and content validation are not enforced.

To mitigate CVE-2024-9064, organizations should immediately restrict SVG upload capabilities to trusted users only, ideally limiting to administrators rather than authors. Implement strict validation and sanitization of SVG files before upload, using security-focused libraries that remove or neutralize embedded scripts and potentially dangerous elements. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of XSS attacks. Monitor logs and website content for unexpected SVG uploads or changes. Update the Elementor Inline SVG plugin promptly once a patch is released by the vendor. In the interim, consider disabling the plugin if SVG upload functionality is not critical. Educate content creators about the risks of uploading untrusted SVG files. Additionally, use web application firewalls (WAFs) with rules targeting SVG-based XSS patterns to provide an additional layer of defense. Regularly audit user roles and permissions to minimize the number of users with upload privileges.