Vulnerabilities and security researches forsafe-svg safe-svg

Jun 07, 2024

CVE, Research URL: CVE-2022-1091
Home page URL: Security reports for Safe SVG
Application: Safe SVG
Date: Apr 18, 2022
Research Description: The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-18854
Home page URL: Security reports for Safe SVG
Application: Safe SVG
Date: Nov 11, 2019
Research Description: A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: -
Home page URL: Security reports for Safe SVG
Application: Safe SVG
Date: Mar 20, 2023
Research Description: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-18855
Home page URL: Security reports for Safe SVG
Application: Safe SVG
Date: Nov 11, 2019
Research Description: A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
Affected versions: Min -, max -.
Status: vulnerable

Nov 08, 2024

CVE, Research URL: CVE-2024-8378
Home page URL: Security reports for Safe SVG
Application: Safe SVG
Date: Nov 07, 2024
Research Description: The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.
Affected versions: Min -, max -.
Status: vulnerable

Feb 17, 2025

PSC, Research URL: PSC-2024-64555
Home page URL: Security reports for Safe SVG
Application: Safe SVG
Date: -
Research Description: Safe SVG is the most reliable WordPress plugin for securely allowing SVG file uploads while ensuring robust security measures. Unlike native WordPress behavior, which restricts SVG uploads due to potential security vulnerabilities, Safe SVG sanitizes and optimizes uploaded SVG files, protecting websites from XML-based threats and malicious code injection. With over 1 million downloads, Safe SVG is a trusted solution for safely handling scalable vector graphics within WordPress. The plugin has undergone extensive security testing and has been awarded the Plugin Security Certification (PSC) from CleanTalk, verifying its adherence to the highest security standards.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED