CVE-2024-8967 in PWA Plugin
Summary
by MITRE • 10/02/2024
The PWA — easy way to Progressive Web App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2025
The vulnerability CVE-2024-8967 affects the PWA — easy way to Progressive Web App plugin for WordPress, specifically targeting versions up to and including 1.6.3. This represents a critical security flaw that undermines the integrity of web applications by enabling malicious actors to inject persistent cross-site scripting payloads through SVG file uploads. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's file handling processes, creating an attack vector that can compromise user sessions and execute unauthorized code within the context of affected websites.
The technical exploitation of this vulnerability occurs through stored cross-site scripting attacks where authenticated users with author-level privileges or higher can upload malicious SVG files containing embedded JavaScript code. When other users access these compromised SVG files, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or further compromise of the WordPress installation. This flaw operates at the intersection of web application security and file upload validation, where the plugin fails to properly validate and sanitize SVG content before storing and serving these files to end users.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to manipulate the behavior of legitimate users within the WordPress environment. Authorized users who upload SVG files become vectors for persistent attacks, allowing threat actors to maintain access and execute malicious code across multiple user sessions. The vulnerability's persistence stems from the stored nature of the XSS payload, meaning that once injected, the malicious code remains active until manually removed from the system, creating long-term exposure for affected installations.
Security professionals should consider this vulnerability in the context of CWE-79, which specifically addresses cross-site scripting flaws, and the ATT&CK framework's T1566.001 technique for initial access through malicious file uploads. The attack surface is particularly concerning for WordPress environments where multiple users with author privileges or higher exist, as these roles typically have the capability to upload media files. Organizations should prioritize immediate patching of affected versions, implement additional upload validation measures, and consider network-level monitoring for suspicious SVG file uploads to prevent exploitation of this vulnerability.