CVE-2024-9426: 
WordPress vulnerability analysis and mitigation

The Aqua SVG Sprite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via SVG File uploads in versions up to and including 3.0.14. The vulnerability was discovered and disclosed on November 12, 2024, and affects the WordPress plugin's file upload functionality (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality. The issue has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially leading to unauthorized access to sensitive information or manipulation of website content (NVD).

As of November 11, 2024, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue. Users are advised to remove the plugin from their WordPress installations immediately (WordPress Plugin).