WordPress File Upload < 4.16.3 – Contributor+ Stored Cross-Site Scripting via Malicious SVG | CVE 2021-24960 | Plugin Vulnerabilities

Description

The plugin allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks

Proof of Concept

1. As a contributor (or above) add the following shortcode to a post: [wordpress_file_upload uploadpatterns="*.svg"]
2. Preview/view the post and upload the following xss.svg file <svg xmlns:svg="http://www.w3.org/2000/svg"><svg:script>alert(/XSS/)</svg:script></svg>
3. Go to /wp-content/uploads/xss.svg to trigger the XSS

Affects Plugins

Fixed in 4.16.3

wordpress-file-upload-pro

Fixed in 4.16.3

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2677722

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

18902832-2973-498d-808e-c75d1aedc11e

Timeline

Publicly Published

2022-02-14 (about 3 years ago)

Added

2022-02-14 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-03-26

Title

Product Import Export for WooCommerce < 2.4.2 - Authenticated(Shop Manager+) Arbitrary File Upload

Published

2014-08-01

Title

Shotzz - Custom Background Shell Upload

Published

2023-12-12

Title

Export and Import Users and Customers < 2.4.9 - Shop Manager+ Arbitrary File Upload

Published

2023-05-31

Title

File Manager Advanced Shortcode <= 2.3.2 - Unauthenticated Remote Code Execution through shortcode

Published

2025-06-13

Title

File Manager Pro – Filester < 1.8.9 - Administrator+ Arbitrary File Upload