CVE-2024-9125 is a stored Cross-Site Scripting (XSS) vulnerability identified in the king_IE plugin for WordPress, affecting all versions up to and including 1.0. The root cause is insufficient sanitization and escaping of SVG file uploads, which allows authenticated users with Author-level or higher privileges to embed arbitrary JavaScript code within SVG files. When these SVG files are accessed by any user, the malicious script executes in their browser context, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. No patches or known exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin's capability to upload SVG files. The vulnerability demands attention from site administrators to prevent exploitation by malicious insiders or compromised accounts.

The primary impact of CVE-2024-9125 is the potential for attackers with Author-level access to inject persistent malicious scripts into SVG files, which execute in the browsers of any users viewing those files. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement of website content, and potential spread of malware. Since the vulnerability requires authenticated access, it limits exploitation to users with some level of trust, but this still poses a significant insider threat or risk from compromised accounts. The scope change means that the attack can affect other users beyond the initial attacker, amplifying the impact. Organizations relying on the king_IE plugin for content management face risks to confidentiality and integrity of user data and website content. The medium CVSS score reflects moderate risk, but the widespread use of WordPress and SVG files in web content increases the potential attack surface globally.

1. Immediately restrict or disable SVG file uploads in the king_IE plugin until a patch is available. 2. Implement strict input validation and sanitization on all SVG uploads, ensuring that any embedded scripts or event handlers are removed or neutralized. 3. Apply output escaping on SVG content when rendering to prevent script execution in browsers. 4. Limit Author-level and higher privileges to trusted users only, and regularly audit user roles and permissions. 5. Monitor logs for unusual upload activity or changes to SVG files. 6. Consider deploying a Web Application Firewall (WAF) with rules to detect and block malicious SVG payloads. 7. Stay updated with vendor advisories for official patches or updates addressing this vulnerability. 8. Educate site administrators and users about the risks of uploading untrusted SVG content. 9. Use Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact if exploitation occurs. 10. Regularly back up website data to enable recovery in case of compromise.