CVE-2024-9119 is a stored cross-site scripting (XSS) vulnerability identified in the SVG Complete plugin for WordPress, developed by automatic-rock. This vulnerability affects all versions up to and including 1.0.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of SVG file uploads. Authenticated attackers with Author-level access or higher can exploit this flaw by uploading crafted SVG files containing malicious JavaScript code. When other users view pages containing these SVG files, the embedded scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79. The CVSS v3.1 base score is 6.4, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and a scope change. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple users or public-facing content. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The impact of CVE-2024-9119 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of users viewing the malicious SVG files, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of legitimate users. This can undermine user trust and lead to further compromise of the website or connected systems. Since the vulnerability requires Author-level privileges, it limits exploitation to insiders or compromised accounts with elevated access, but many WordPress sites have multiple authors or contributors, increasing the attack surface. The vulnerability does not affect availability directly but can facilitate attacks that degrade service or lead to defacement. Organizations relying on the SVG Complete plugin risk reputational damage and data breaches if this vulnerability is exploited, especially in environments with sensitive user data or critical business functions.

To mitigate CVE-2024-9119, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of an official patch, restrict Author-level and higher privileges to trusted users only and audit existing user roles to minimize risk. Disable or remove the SVG Complete plugin if it is not essential. Implement web application firewalls (WAFs) with rules to detect and block malicious SVG uploads or suspicious script execution patterns. Additionally, configure WordPress to sanitize SVG uploads using alternative plugins or custom code that properly validates and escapes SVG content. Monitor logs for unusual upload activity or script execution errors. Educate content authors about the risks of uploading untrusted SVG files. Finally, consider implementing Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script sources.