Skip to main content

SVG Support EUVDEUVD-2026-32526

| CVE-2026-48973 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 audit@patchstack.com GHSA-frmx-6g5x-w92p
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:11 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects SVG Support: from n/a through 2.5.14.

AnalysisAI

Broken access control in the SVG Support WordPress plugin (versions through 2.5.14) allows low-privileged authenticated users to perform unauthorized actions due to missing authorization checks on one or more plugin functions. The vulnerability (CWE-862) enables an attacker with a basic WordPress account to circumvent access control restrictions and make unauthorized modifications, impacting integrity without exposing sensitive data or causing service disruption. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with partial technical impact.

Technical ContextAI

SVG Support is a WordPress plugin developed by Benbodhi that enables uploading and rendering of SVG (Scalable Vector Graphics) files within WordPress sites. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin functions that should be restricted to higher-privilege roles (e.g., administrators or editors) fail to verify the caller's authorization before executing. In WordPress, this typically manifests as AJAX handlers, REST API endpoints, or admin-facing functions registered without a capability check (e.g., missing current_user_can() calls). The CVSS vector AV:N/AC:L/PR:L/UI:N indicates the vulnerable function is reachable over the network with no special configuration, requires only a low-privilege WordPress account (subscriber or contributor level), and no user interaction. Affected versions span all releases up to and including 2.5.14 per both NVD and ENISA EUVD-2026-32526.

RemediationAI

The primary remediation is to update the SVG Support plugin to a version beyond 2.5.14 once a patched release is published by the vendor. No specific fix version has been independently confirmed in the available data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/svg-support/vulnerability/wordpress-svg-support-plugin-2-5-14-broken-access-control-vulnerability should be monitored for the confirmed patched release. As a compensating control prior to patching, site administrators should disable open user registration (Settings > General > 'Anyone can register') to eliminate the low-privilege account vector that makes this exploitable by external attackers. Additionally, reviewing which user roles have access to SVG upload functionality and restricting it to trusted roles (editor/administrator) via the plugin's own role settings reduces the attack surface. Deactivating the plugin entirely is an option for sites that do not require SVG support. Note that disabling registration may affect intended site functionality.

Share

EUVD-2026-32526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy