CVE-2024-9173

Summary

CVE-2024-9173 identifies a vulnerability in the GF Custom Style plugin for WordPress, affecting all versions up to and including 2.0, which allows for Stored Cross-Site Scripting (XSS) through SVG file uploads due to inadequate input sanitization and output escaping. Authenticated attackers with Author-level access or higher can exploit this vulnerability to inject malicious web scripts that execute when users access affected SVG files. The potential impact is rated as medium, with a CVSS base score of 6.4, indicating low integrity and confidentiality risks but requiring low privileges with no user interaction needed. To remediate this vulnerability, users should update the GF Custom Style plugin to the latest version where this issue has been addressed. Organizations are advised to monitor for any exploitation attempts and ensure proper security practices around user roles and permissions within their WordPress installations.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.