The slovenskoit ID-SK Toolkit plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-9853. This vulnerability exists due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of SVG file uploads. Versions up to and including 1.7.2 fail to sufficiently sanitize and escape SVG content, allowing authenticated users with Author-level or higher privileges to upload SVG files containing malicious JavaScript code. When other users access pages displaying these SVG files, the embedded scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The attack vector is network-based, with low complexity, but requires authenticated access with Author or higher privileges, and no user interaction is needed beyond viewing the malicious SVG. The vulnerability affects the confidentiality and integrity of user data and site content but does not impact availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The CVSS v3.1 score of 6.4 reflects a medium severity rating, considering the scope of impact and required privileges. The vulnerability is particularly relevant for organizations using the slovenskoit ID-SK Toolkit plugin on WordPress sites, especially those allowing multiple authors or contributors. Mitigation requires patching the plugin once available or implementing strict SVG upload filtering and output escaping controls.

This vulnerability allows authenticated users with Author-level access or higher to inject malicious scripts via SVG uploads, which execute in the browsers of users viewing the SVG content. The impact includes potential theft of session cookies, user impersonation, unauthorized actions on behalf of users, and exposure of sensitive information. For organizations, this can lead to compromised user accounts, defacement, data leakage, and erosion of trust. Since the attack requires authenticated access, insider threats or compromised accounts pose a significant risk. The vulnerability does not affect availability directly but can facilitate further attacks that degrade service. Given WordPress's widespread use and the plugin's role in Slovak IT contexts, targeted attacks could disrupt government, corporate, or public-facing websites. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

Organizations should immediately restrict SVG file uploads to trusted users only and implement strict input validation and sanitization for SVG content. Until an official patch is released, disable or remove the slovenskoit ID-SK Toolkit plugin if feasible. Employ Web Application Firewalls (WAFs) with rules to detect and block malicious SVG payloads. Enforce the principle of least privilege by limiting Author-level access and above to only necessary users. Monitor logs for unusual upload activity and anomalous script execution patterns. Educate users about the risks of uploading untrusted files. Once a patch is available, apply it promptly. Additionally, consider implementing Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of XSS attacks. Regularly audit and update all WordPress plugins to minimize exposure to known vulnerabilities.