Announcing Allow SVG
Ben Word
We’re excited to introduce Allow SVG, a minimal, security-first WordPress plugin that enables SVG file uploads with zero configuration.
SVG support in WordPress has been a long-standing feature request (open since 2011), but the risks of unsanitized uploads have kept it out of core.
Why another SVG plugin?
Most existing SVG upload plugins are either:
- Over-engineered with unnecessary UI or configuration
- Bundled with inline rendering or unrelated frontend logic
Allow SVG does just one thing: it adds SVG support to your WordPress site, without exposing your site to script injection or XXE vulnerabilities.
Security-first by design
Allow SVG actively scans and validates uploaded files using PHP’s DOMDocument, with protections against:
- Embedded
<script>tags - Inline event handlers (
onload,onclick, etc.) <foreignObject>and other XSS vectors- External entities and remote references (XXE)
Zero configuration
There are no settings pages, toggles, or prompts. Just install the plugin and SVG uploads are enabled for users with media upload permissions.
It works out of the box in both single-site and multisite environments, and plays nicely with custom roles or permissions systems.
Built for developers
The plugin is fully test-covered, with:
- PHP unit tests
- Integration tests for WordPress hooks
- End-to-end tests using Playwright
The source is intentionally minimal, modern, and documented. If you’re building with Bedrock, this will drop cleanly into your stack.
Get started
Allow SVG is open-source and available now on GitHub.