cbcvebase.
CVE-2024-8673
published 2025-05-15

CVE-2024-8673: The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.63%
73.3th percentile
The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

Affected

1 ranges
VendorProductVersion rangeFixed in
urbanbasez-downloads< 1.11.71.11.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/uploads/z-downloads-[a-f0-9]{32}/files/[a-f0-9]{32}/xss.svg
url/wp-admin/admin.php?page=z-downloads-files
filenamexss.svg
  • Detect SVG upload exploitation by matching HTTP 200 responses with Content-Type 'image/svg+xml' containing the XSS payload 'alert(document.domain);' served from the Z-Downloads upload path.
  • Monitor for SVG files uploaded to the Z-Downloads plugin upload directory matching the pattern /wp-content/uploads/z-downloads-<32hexchars>/files/<32hexchars>/xss.svg.
  • Watch for multipart form-data POST requests to the Z-Downloads file upload endpoint containing SVG payloads with embedded JavaScript (e.g., alert(document.domain);).
  • The plugin fails to properly validate uploaded files, allowing SVGs containing malicious JavaScript to be stored and served; flag any SVG upload to the Z-Downloads plugin directory.
  • ·The nonce value in the upload request is dynamic and must be extracted from the page prior to exploitation; static replay of the request will fail without a valid nonce.
  • ·The upload directory name and file subdirectory both use 32-character hex strings, making the exact path unpredictable; detection must use regex-based path matching rather than static path matching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.