WP-Safety

Safe SVG Security & Risk Analysis

wordpress.org/plugins/safe-svg

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

1.0M active installs v2.4.0 PHP 7.4+ WP 6.6+ Updated Jan 4, 2026
mediamimesecuritysvgvector
94
A · Safe
CVEs total6
Unpatched0
Last CVEOct 17, 2024
Plugin page Download
Safety Verdict

Is Safe SVG Safe to Use in 2026?

Generally Safe

Score 94/100

Safe SVG has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Oct 17, 2024Updated 2mo ago
Risk Assessment

The "safe-svg" v2.4.0 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to several security best practices. All identified SQL queries utilize prepared statements, output is consistently escaped, and the plugin implements nonce and capability checks where appropriate. The attack surface, while small with only one AJAX handler, is noted as unprotected in the static analysis, which is a concern. Taint analysis did identify flows with unsanitized paths, although no critical or high severity issues were found in this analysis, suggesting potential for input manipulation even if not immediately exploitable in a critical way.

The plugin's vulnerability history is a significant concern, with a total of 6 known CVEs, including 2 high and 4 medium severity vulnerabilities. The fact that none are currently unpatched is positive, but the recurring nature of past vulnerabilities, particularly Cross-site Scripting and Uncontrolled Resource Consumption, indicates a pattern of past weaknesses that require vigilant monitoring. The most recent vulnerability was identified in October 2024, highlighting that the plugin has had recent security issues.

In conclusion, while "safe-svg" v2.4.0 demonstrates good coding practices in areas like SQL and output handling, the unprotected AJAX entry point and its history of significant vulnerabilities, especially XSS and resource consumption, present notable risks. Developers should prioritize addressing any potential input sanitization gaps and maintain a robust patch management process for this plugin.

Key Concerns

  • Unprotected AJAX entry point
  • Flows with unsanitized paths
  • History of 2 high severity CVEs
  • History of 4 medium severity CVEs
Vulnerabilities
6

Safe SVG Security Vulnerabilities

CVEs by Year

3 CVEs in 2019
2019
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2024-8378medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Safe SVG <= 2.2.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

Oct 17, 2024 Patched in 2.2.6 (57d)
CVE-2023-28426high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SVG Sanitizer library <= 0.15.4 - Cross-Site Scripting Bypass

Mar 23, 2023 Patched in 2.1.0 (306d)
CVE-2022-1091high · 7.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Safe SVG <= 1.9.9 - Content-Type Bypass

Mar 25, 2022 Patched in 1.9.10 (669d)
WF-1a0fcd50-e9d6-49a5-979f-61f953b1a1cd-safe-svgmedium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Safe SVG <= 1.9.5 - Cross-Site Scripting

Nov 8, 2019 Patched in 1.9.6 (1537d)
CVE-2019-18855medium · 6.5Uncontrolled Resource Consumption

Safe SVG <= 1.9.4 - Denial of Service

Nov 5, 2019 Patched in 1.9.5 (1540d)
CVE-2019-18854medium · 6.5Uncontrolled Resource Consumption

Safe SVG <= 1.9.4 - Denial of Service

Nov 5, 2019 Patched in 1.9.5 (1540d)
Code Analysis
Analyzed Mar 16, 2026

Safe SVG Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
37 escaped
Nonce Checks
1
Capability Checks
3
File Operations
4
External Requests
0
Bundled Libraries
0

Output Escaping

100% escaped37 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
optimize (includes\optimizer.php:153)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Safe SVG Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_safe_svg_optimizeincludes\optimizer.php:44
WordPress Hooks 28
filterblock_categories_allincludes\blocks.php:20
actioninitincludes\optimizer.php:30
actionadmin_enqueue_scriptsincludes\optimizer.php:43
actionadmin_initincludes\safe-svg-settings.php:19
filterpre_update_option_safe_svg_upload_rolesincludes\safe-svg-settings.php:20
actionadmin_noticessafe-svg.php:55
actionadmin_noticessafe-svg.php:79
actionload-upload.phpsafe-svg.php:132
actionload-post-new.phpsafe-svg.php:133
actionload-post.phpsafe-svg.php:134
actionload-site-editor.phpsafe-svg.php:135
actionmedia_upload_tabssafe-svg.php:140
actioninitsafe-svg.php:150
filterwp_handle_sideload_prefiltersafe-svg.php:151
filterwp_handle_upload_prefiltersafe-svg.php:152
filterwp_prepare_attachment_for_jssafe-svg.php:153
filterwp_get_attachment_image_srcsafe-svg.php:154
filteradmin_post_thumbnail_htmlsafe-svg.php:155
actionadmin_enqueue_scriptssafe-svg.php:156
actionget_image_tagsafe-svg.php:157
filterwp_generate_attachment_metadatasafe-svg.php:158
filterwp_get_attachment_metadatasafe-svg.php:159
filterwp_calculate_image_srcset_metasafe-svg.php:160
filterupload_mimessafe-svg.php:171
filterwp_check_filetype_and_extsafe-svg.php:172
filterupload_mimessafe-svg.php:274
filterwp_check_filetype_and_extsafe-svg.php:275
filterpre_move_uploaded_filesafe-svg.php:282
Maintenance & Trust

Safe SVG Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 4, 2026
PHP min version7.4
Downloads12.7M

Community Trust

Rating98/100
Number of ratings77
Active installs1.0M
Alternatives

Safe SVG Alternatives

SVG Editor: Upload & Change Colors

SVG Editor: Upload & Change Colors

svg-editor

A
100

SVG Editor lets you upload SVG files and change their colors directly within the WordPress Media Library.

100 No CVEs
SVG Support

SVG Support

svg-support

A
89

Securely upload SVG files to your media library, with built-in sanitization and advanced features for styling and animation.

1.0M 6 CVEs
Lord of the Files: Enhanced Upload Security

Lord of the Files: Enhanced Upload Security

blob-mimes

A
100

This plugin expands file-related security and sanity around the upload process.

1K No CVEs
SVG Safe Uploads

SVG Safe Uploads

svg-safe-uploads

A
100

Securely upload SVG files in WordPress with built-in sanitization and admin settings.

20 No CVEs
Support SVG – Upload svg files in wordpress without hassle

Support SVG – Upload svg files in wordpress without hassle

support-svg

A
99

This plugin will help you to upload svg format image in WordPress media library regardless of the theme. That is, it works with every theme.

10 2 CVEs
Developer Profile

Safe SVG Developer Profile

10up

23 plugins · 1.4M total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
546 days
View full developer profile
Detection Fingerprints

How We Detect Safe SVG

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/safe-svg/build/css/admin.css/wp-content/plugins/safe-svg/build/js/admin.js
Script Paths
/wp-content/plugins/safe-svg/build/js/admin.js
Version Parameters
safe-svg/build/css/admin.css?ver=safe-svg/build/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
safe-svg-admin-notice
Data Attributes
data-safe-svg-error
JS Globals
wp.media
FAQ

Frequently Asked Questions about Safe SVG