WP-Safety

Enable SVG, WebP, and ICO Upload Security & Risk Analysis

wordpress.org/plugins/enable-svg-webp-ico-upload

This plugin will enable uploading SVG, WebP & ICO image files to WordPress sites.

10K active installs v1.1.4 PHP 7.0+ WP 4.7+ Updated Dec 4, 2025
icoimageserve-imagessvgwebp
91
A · Safe
CVEs total5
Unpatched0
Last CVENov 17, 2025
Plugin page Download
Safety Verdict

Is Enable SVG, WebP, and ICO Upload Safe to Use in 2026?

Generally Safe

Score 91/100

Enable SVG, WebP, and ICO Upload has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Nov 17, 2025Updated 4mo ago
Risk Assessment

The "enable-svg-webp-ico-upload" plugin version 1.1.4 presents a mixed security profile. While the code analysis shows good practices in terms of SQL query sanitization and output escaping, with 100% of both being handled correctly, there are significant concerns regarding its attack surface and historical vulnerability record. The plugin exposes two AJAX handlers, both of which lack authentication checks. This means any unauthenticated user could potentially interact with these handlers, posing a direct risk if they are not properly secured within the code itself.

The vulnerability history is particularly concerning, with a total of 5 known CVEs, including 2 high and 2 medium severity vulnerabilities. The common types of vulnerabilities, such as Unrestricted Upload of File with Dangerous Type and Cross-site Scripting, align with potential risks introduced by handling file uploads and user input, which this plugin likely does. The fact that the last vulnerability was recently discovered (2025-11-17) suggests ongoing security issues.

While the absence of critical taint flows and the use of prepared statements are positive indicators, the unprotected AJAX endpoints combined with the plugin's past security incidents create a notable risk. The plugin's strengths lie in its internal code handling of SQL and output, but the external attack vectors and historical issues warrant caution.

Key Concerns

  • Unprotected AJAX handlers
  • Multiple past high severity CVEs
  • Multiple past medium severity CVEs
  • Past low severity CVE
  • Vulnerability history including XSS
  • Vulnerability history including Unrestricted Upload
Vulnerabilities
5

Enable SVG, WebP, and ICO Upload Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
2
Low
1

5 total CVEs

CVE-2025-13069high · 8.8Unrestricted Upload of File with Dangerous Type

Enable SVG, WebP, and ICO Upload <= 1.1.3 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass

Nov 17, 2025 Patched in 1.1.4 (25d)
CVE-2025-12457medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads

Nov 17, 2025 Patched in 1.1.3 (25d)
CVE-2023-2143medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enable SVG, WebP & ICO Upload <= 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

Jun 23, 2023 Patched in 1.1.2 (518d)
CVE-2022-36343low · 3.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enable SVG, WebP & ICO Upload <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting

Aug 1, 2022 Patched in 1.0.3 (540d)
CVE-2022-34154high · 7.2Unrestricted Upload of File with Dangerous Type

Enable SVG, WebP & ICO Upload <= 1.1.0 - Arbitrary File Upload

Aug 1, 2022 Patched in 1.1.1 (844d)
Code Analysis
Analyzed Mar 16, 2026

Enable SVG, WebP, and ICO Upload Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
62 escaped
Nonce Checks
1
Capability Checks
0
File Operations
11
External Requests
0
Bundled Libraries
0

Output Escaping

100% escaped62 total outputs
Attack Surface
2 unprotected

Enable SVG, WebP, and ICO Upload Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_itc_svg_upload_dismissedincludes\class-itc.php:90
authwp_ajax_itc_svg_upload_dismissed_alertincludes\class-itc.php:91
WordPress Hooks 24
actionadmin_noticesadmin\class-admin.php:11
actionplugins_loadedincludes\class-itc.php:46
filterupload_mimesincludes\class-itc.php:55
filterwp_handle_upload_prefilterincludes\class-itc.php:56
filterwp_check_filetype_and_extincludes\class-itc.php:57
filterwp_prepare_attachment_for_jsincludes\class-itc.php:58
actionadmin_headincludes\class-itc.php:59
filterwp_check_filetype_and_extincludes\class-itc.php:73
filterupload_mimesincludes\class-itc.php:74
filterwp_handle_upload_prefilterincludes\class-itc.php:75
actionadmin_enqueue_scriptsincludes\class-itc.php:85
actionadmin_enqueue_scriptsincludes\class-itc.php:86
actionadmin_menuincludes\class-itc.php:87
actionadmin_initincludes\class-itc.php:88
actionadmin_noticesincludes\class-itc.php:92
actionwp_enqueue_scriptsincludes\class-itc.php:97
actionwp_enqueue_scriptsincludes\class-itc.php:98
filterupload_mimesincludes\class-svg.php:21
filterwp_handle_upload_prefilterincludes\class-svg.php:22
filterwp_check_filetype_and_extincludes\class-svg.php:23
filterwp_generate_attachment_metadataincludes\class-svg.php:24
filterwp_prepare_attachment_for_jsincludes\class-svg.php:25
actionadmin_headincludes\class-svg.php:26
actiontemplate_redirectincludes\class-svg.php:29
Maintenance & Trust

Enable SVG, WebP, and ICO Upload Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 4, 2025
PHP min version7.0
Downloads82K

Community Trust

Rating92/100
Number of ratings10
Active installs10K
Alternatives

Enable SVG, WebP, and ICO Upload Alternatives

WebP Conversion

WebP Conversion

webp-conversion

B
78

Convert your .png and .jpeg images to WebP format for FREE – with absolutely NO limits or hidden restrictions.

1K 1 unpatched
SVG Block

SVG Block

svg-block

A
99

Display an SVG image as a block, which can be used for displaying images, icons, dividers, buttons

4K 2 CVEs
Image Optimizer – Optimize Images and Convert to WebP or AVIF

Image Optimizer – Optimize Images and Convert to WebP or AVIF

image-optimization

A
99

Automatically resize, optimize, and convert images to WebP and AVIF. Compress images in bulk or on upload to boost your WordPress site performance.

1.0M 1 CVE
Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

wp-smushit

A
93

Optimize and compress images with lossless and lossy compression, lazy load, WebP & AVIF conversion, and global image CDN.

1.0M 6 CVEs
Developer Profile

Enable SVG, WebP, and ICO Upload Developer Profile

ideasToCode

5 plugins · 13K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
390 days
View full developer profile
Detection Fingerprints

How We Detect Enable SVG, WebP, and ICO Upload

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/enable-svg-webp-ico-upload/admin/css/itc-admin.css/wp-content/plugins/enable-svg-webp-ico-upload/admin/js/itc-admin.js
Script Paths
/wp-content/plugins/enable-svg-webp-ico-upload/admin/js/itc-admin.js
Version Parameters
enable-svg-webp-ico-upload/admin/css/itc-admin.css?ver=enable-svg-webp-ico-upload/admin/js/itc-admin.js?ver=

HTML / DOM Fingerprints

JS Globals
ITC_SVG_Upload_Admin
FAQ

Frequently Asked Questions about Enable SVG, WebP, and ICO Upload