CVE-2024-8917 in AnWP Football Leagues Plugin
Summary
by MITRE • 09/25/2024
The AnWP Football Leagues plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.16.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/09/2025
The AnWP Football Leagues plugin for WordPress presents a critical security vulnerability classified as CVE-2024-8917, which affects all versions up to and including 0.16.7. This vulnerability manifests as a stored cross-site scripting flaw that specifically targets SVG file upload functionality within the plugin's administrative interface. The flaw stems from inadequate input sanitization mechanisms and insufficient output escaping measures that fail to properly validate and sanitize user-supplied SVG content before it is stored and subsequently served to end users. Authentication requirements for exploitation are relatively low, as attackers need only possess Author-level privileges or higher within the WordPress environment to successfully leverage this vulnerability.
The technical nature of this vulnerability places it squarely within the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS variant where malicious scripts are permanently stored on the server and executed whenever legitimate users access the affected SVG files. This vulnerability operates through the plugin's file upload processing mechanism, where SVG files are accepted without proper validation of their content structure and embedded script elements. The lack of proper content type validation and sanitization allows attackers to upload SVG files containing malicious javascript payloads that are subsequently executed in the context of other users' browsers when they access the plugin's SVG display functionality.
The operational impact of CVE-2024-8917 extends beyond simple script execution, as it creates a persistent threat vector that can be exploited by authenticated attackers to perform various malicious activities. When victims access pages containing the compromised SVG files, their browsers execute the embedded scripts, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The vulnerability's persistence stems from the stored nature of the XSS payload, meaning that once uploaded, the malicious script remains active until manually removed from the server. This characteristic makes the vulnerability particularly dangerous in environments where multiple users regularly access the plugin's content, as each user who views the affected SVG files becomes a potential victim of the stored script execution.
Mitigation strategies for CVE-2024-8917 should prioritize immediate patching of the affected plugin to version 0.16.8 or later, which contains the necessary security fixes to address the input sanitization and output escaping deficiencies. Administrators should also implement additional defensive measures including restricting file upload capabilities to only trusted users, implementing proper content validation for all uploaded files, and establishing monitoring procedures to detect unauthorized file uploads. The vulnerability demonstrates the importance of proper input validation and output escaping practices as outlined in the OWASP Top Ten security principles and aligns with ATT&CK technique T1566.002 for the use of malicious file uploads. Organizations should also consider implementing web application firewalls and content security policies to provide additional layers of protection against similar vulnerabilities in other plugin components. Regular security audits of WordPress plugins and themes remain essential to identify and remediate such vulnerabilities before they can be exploited by malicious actors in the broader threat landscape.