Vulnerabilities and security researches forcits-support-svg-webp-media-upload cits-support-svg-webp-media-upload
Direction: ascendingJun 07, 2024
CITS Support svg, webp Media and TTF,OTF File Upload # CVE-2023-5458
- CVE, Research URL
- Date
- Oct 31, 2023
- Research Description
- The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
- Affected versions
-
max 3.0.
- Status
-
vulnerable
Mar 24, 2025
CITS Support svg, webp Media and TTF,OTF File Upload # CVE-2025-0807
- CVE, Research URL
- Date
- Mar 22, 2025
- Research Description
- The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_settings_tab() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 4.2.
- Status
-
vulnerable
CITS Support svg, webp Media and TTF,OTF File Upload # CVE-2024-13768
- CVE, Research URL
- Date
- Mar 22, 2025
- Research Description
- The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_assign_fonts_tab() function. This makes it possible for unauthenticated attackers to delete font assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 4.2.
- Status
-
vulnerable