Secure SVG Pro

Mission Briefing

WordPress Lets Anyone Upload an SVG. That’s a Problem.

SVG files are not images. Not really. They’re XML documents that can contain scripts, event handlers, embedded iframes, external resource calls, and enough attack surface to make a security auditor cry into their coffee. WordPress knows this, which is why it blocks SVG uploads by default. But your clients need SVGs. Your theme needs SVGs. Your icon sets, your logos, your illustrations — they’re all SVGs. So you install a plugin to enable uploads and hope for the best.

That hope is doing a lot of heavy lifting.

Most plugins that unlock SVG uploads do the bare minimum: they add image/svg+xml to WordPress’s allowed MIME types and call it a day. Some do basic tag filtering. A few do more. But between the free options that skip role control entirely and the subscription tools that charge you annually for what should be a one-time purchase, there’s a gap in the market for something that actually takes the security problem seriously — without costing you a recurring fee forever.

Secure SVG Pro fills that gap. It’s a $19 one-time purchase that gives your WordPress site deep, server-side SVG sanitization, role-based upload control, proper Media Library previews, and zero frontend overhead. No API calls. No subscription. No compromises.

Why Existing Solutions Fall Short

Let’s be specific, because vague criticism helps no one.

Safe SVG is the most popular free option. It does sanitize SVGs, which is more than nothing. But it gives you no control over which user roles can upload SVGs, no configurable file size limits, and no way to tighten access if you’re running a multi-author site or a client-managed WordPress install. On a site where contributors or subscribers can upload media, Safe SVG becomes a problem you didn’t know you had.

SVG Support Pro costs $39 per year. Every year. For a feature set that, frankly, should be a one-time purchase. You’re renting the ability to upload SVGs safely. That’s the deal they’re offering. If you manage five sites, that’s $195 annually, compounding indefinitely.

Secure SVG Pro is $19, once. It sanitizes more aggressively, gives you role-based controls, and doesn’t phone home to any external service. Your SVG files are processed entirely on your server using PHP’s native DOMDocument parser. That’s it. Nothing leaves your site.

How Secure SVG Pro Works: The Sanitization Process

When a user uploads an SVG through the WordPress Media Library, Secure SVG Pro intercepts that file before it’s written to disk. It parses the raw XML using PHP’s DOMDocument — a battle-tested, server-native parser — and runs it through a multi-layer sanitization pipeline. Here’s what that looks like step by step.

Step 1: Parse and Validate the XML Structure

The file is loaded into DOMDocument for parsing. If it’s malformed XML masquerading as an SVG, the process stops here. No partial files, no guessing. The plugin only proceeds with structurally valid SVG documents. This alone catches a category of attacks that rely on parser confusion.

Step 2: Strip Dangerous Elements — All 18 Categories

Secure SVG Pro removes every element from a curated blocklist of 18 dangerous element types. This includes the obvious ones — <script>, <iframe>, <embed>, <object> — and the less obvious ones that security researchers have documented as attack vectors: <foreignObject>, which can inject arbitrary HTML into an SVG context; <applet>, a legacy Java execution tag; <meta> and <base>, which can redirect browsers and hijack relative URLs; and <link>, which can pull in external stylesheets. If it can execute code or load external content, it gets removed.

Step 3: Scrub Attributes and Protocols

Element removal is necessary but not sufficient. Attacks are frequently embedded in attributes, not elements. Secure SVG Pro strips all on* event handler attributes — onclick, onload, onmouseover, and every other variation — from every element in the document. It also blocks dangerous URL protocols in href, src, and similar attributes: javascript: and vbscript: URLs are removed outright, and data:text/html URIs are blocked to prevent inline HTML injection. CSS attribute values are checked for expression() calls (a legacy IE attack vector) and -moz-binding (a Firefox-specific code execution mechanism). Both are stripped.

Step 4: Strip PHP Instructions, CDATA, and Metadata — Then Save

PHP processing instructions embedded in SVGs (<?php ... ?>) are removed. CDATA sections, which can be used to smuggle script content past naive parsers, are stripped. Metadata nodes that could expose author information or internal tooling details are cleaned out. What remains is a pure, safe SVG — all the shapes, gradients, animations, and visual data intact, with every known attack vector removed. The sanitized file is written to the media library. The process adds no perceptible delay to uploads.

The Admin Interface: Control Without Complexity

The settings panel for Secure SVG Pro is a single, clean page under your WordPress Settings menu. There’s no onboarding wizard, no feature tour, no upsell nag screen. You configure what you need and you’re done.

Role-based upload control lets you specify exactly which user roles are permitted to upload SVGs. By default, only Administrators can upload them. You can extend that to Editors, Authors, or any custom role registered on your site. Contributors and Subscribers stay locked out unless you explicitly grant access. This matters enormously on multi-user sites, membership platforms, and client-managed installs where giving everyone SVG upload rights is an invitation to trouble.

The file size limit is configurable, with a sensible default of 512KB. SVGs used in web design are almost never legitimately large files — a 2MB SVG upload is a red flag, not a routine occurrence. Set the ceiling where it makes sense for your use case.

Inline rendering can be toggled via the wp_kses integration if you need SVGs rendered inline in post content rather than as standard image tags. Dimension extraction from the viewBox attribute is handled automatically, so WordPress gets proper width and height data for your SVGs without you having to touch anything.

Full Feature List

• DOMDocument-based server-side sanitization — all processing happens on your server using PHP’s native parser. No API calls. No data leaves your site.
• 18 dangerous element categories stripped — includes <script>, <foreignObject>, <iframe>, <embed>, <object>, <applet>, <meta>, <link>, <base>, and more.
• Event handler removal — every on* attribute stripped from every element in the document.
• Protocol blocking — javascript:, vbscript:, and data:text/html URLs removed from all attributes.
• CSS attack protection — expression() and -moz-binding removed from inline styles and style attributes.
• PHP instruction stripping — processing instructions are purged before the file is saved.
• CDATA removal — CDATA sections used to smuggle script content are stripped.
• Metadata stripping — no author data, software fingerprints, or internal metadata survives the sanitization pass.
• Role-based upload control — granular permission assignment per WordPress user role.
• Configurable file size limits — default 512KB, adjustable from the settings panel.
• Media Library previews — SVGs render as actual images in WordPress’s grid view, not as generic file icons.
• SVG badges in media grid — SVG files are clearly labeled in the media library for easy identification.
• Dimension extraction from viewBox — WordPress gets proper image dimensions automatically.
• Inline rendering option — wp_kses toggle for inline SVG output in post content.
• Zero frontend load — Secure SVG Pro loads no CSS, no JavaScript, and makes no database queries on the frontend.
• Clean uninstall — removing the plugin cleans up all its settings and leaves your database exactly as it found it.

What Gets Preserved

Sanitization is only useful if it doesn’t break your SVGs. Secure SVG Pro is built with a preserve-first mindset for visual content. All SVG shape elements are kept intact: <path>, <rect>, <circle>, <ellipse>, <polygon>, <line>, and <polyline>. Gradients, transforms, groups, clipping paths, masks, text elements, and CSS animations all pass through cleanly. The viewBox attribute and presentation attributes used for responsive scaling are preserved. Your SVG looks exactly the same after sanitization. It just can’t execute anything.

What It Looks Like on the Frontend

From a visitor’s perspective, SVGs uploaded through Secure SVG Pro behave exactly like any other image in WordPress. They display in Gutenberg image blocks, they work in Elementor image widgets, they render in Divi modules, Beaver Builder, and WPBakery. There is no plugin-added wrapper markup, no JavaScript dependency, no additional HTTP request. The sanitized SVG file sits in your media library and gets served the same way any other image does.

The plugin contributes exactly zero bytes to your frontend page weight. No stylesheet. No script. Nothing. If you use a performance grader, Secure SVG Pro will never appear as a flag.

Who This Is For

Freelancers and agencies who build WordPress sites for clients and need a one-license-fits-all SVG solution without a recurring bill that compounds across every site they manage.

Site owners running multi-author or membership sites where you cannot trust every registered user with unrestricted file upload privileges. The role-based control in Secure SVG Pro exists specifically for this scenario.

Developers who’ve read a CVE report or two and understand that “allows SVG uploads” and “allows SVG uploads safely” are not the same sentence. If you’ve ever looked at what a weaponized SVG can contain, you want DOMDocument-based sanitization, not regex string replacement.

Anyone currently paying $39/year for SVG Support Pro and wondering why. You can buy Secure SVG Pro once for $19, keep it forever, and stop the annual billing cycle entirely.

Performance-conscious developers who don’t want another plugin adding weight to the frontend. Zero-load plugins are rare. This is one.

How It Compares to the Alternatives

Here’s the honest breakdown, with no exaggeration in either direction.

Safe SVG (Free)

Safe SVG is a solid free plugin with genuine sanitization logic. It’s better than nothing, which puts it ahead of the average “just enable the MIME type” solution. But it has no role-based access control, no file size limits, and no way to restrict which users can upload SVGs. On a single-author blog, that’s fine. On a WooCommerce store with vendor accounts, a BuddyPress community, or any site with multiple contributor-level users, it’s an open door you didn’t mean to leave open. Secure SVG Pro closes that door.

SVG Support Pro ($39/year)

SVG Support’s premium tier is competent. It’s also $39 per year, every year, indefinitely. Three sites equals $117 annually. Five sites equals $195. Over three years of use, you’ve spent $585 for the ability to upload SVGs safely across five sites. Secure SVG Pro is $19 once, per site, with no renewal. The math is not subtle.

Secure SVG Pro ($19, one-time)

Deep server-side sanitization. Role-based controls. Configurable file size limits. Media Library previews. Zero frontend load. Clean uninstall. One payment. No subscription. Built by people who think the “recurring fee for a simple utility plugin” model is a bad deal for users.

Technical Requirements

• WordPress: 5.0 or higher
• PHP: 7.4 or higher (PHP 8.x fully supported)
• PHP Extension: DOMDocument (enabled by default on virtually all managed WordPress hosts)
• Page Builders: Compatible with Gutenberg, Elementor, Divi, Beaver Builder, and WPBakery
• Multisite: Compatible with WordPress multisite installations
• External Dependencies: None. No API keys, no remote services, no third-party accounts required.

The AI Or Die Now Promise

AI Or Die Now builds WordPress plugins that solve specific problems cleanly, charge a fair one-time price, and don’t pad the feature list with things designed to justify a subscription tier. Secure SVG Pro does what it says on the label. It sanitizes SVGs thoroughly, gives you control over who can upload them, adds proper Media Library support, and disappears completely from the frontend. There is no upsell inside the plugin. There is no “upgrade to Pro” prompt — this is already the Pro version. There are no nag notices. There is no data collection.

If Secure SVG Pro doesn’t work as described on your WordPress installation and you can demonstrate the issue, reach out. We stand behind the software. That’s the whole promise. No fine print.

Get Secure SVG Pro for $19 — One-Time, No Subscription

You’re one bad SVG upload away from an XSS vulnerability on a site you’re responsible for. That’s not fear-mongering — it’s the documented attack surface of the SVG format, which is why WordPress blocks them by default.

Secure SVG Pro lets you enable SVG uploads the right way: deep sanitization, role-based access, zero frontend overhead, and a one-time price that costs less than half a year of the leading subscription alternative.

$19. Once. Yours forever.

Buy Secure SVG Pro on Gumroad →

Instant download. Works on WordPress 5.0+. No subscription. No renewal. No regrets.