Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-8673

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
9.1CRITICAL
EPSS
5.8%
top 9.47%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Z-downloadsUrbanbase Z-downloads
Timeline
PublishedMay 15

Description

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

CVEListV5unknown/z-downloads< 1.11.7
NVDurbanbase/z-downloads< 1.11.7

🔴Vulnerability Details

2
GHSA
GHSA-m87q-2m67-hxxh: The Z-Downloads WordPress plugin before 12025-05-15
CVEList
Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload2025-05-15

💥Exploits & PoCs

1
Nuclei
Z-Downloads < 1.11.7 - Cross-Site Scripting
CVE-2024-8673 (CRITICAL CVSS 9.1) | The Z-Downloads WordPress plugin be | cvebase.io