SVG Support < 2.3.20 – Admin+ Stored Cross-Site Scripting | CVE 2021-24686

Description

The plugin does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

With the Advanced Mode enabled, put the following payload in the "CSS Class to target" setting: "><script>alert(/XSS/)</script>

Affects Plugins

svg-support

Fixed in 2.3.20

References

CVE

CVE-2021-24686

URL

https://plugins.trac.wordpress.org/changeset/2651929

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

shivam24rai

Verified

Yes

WPVDB ID

38018695-901d-48d9-b39a-7c00df7f0a4b

Timeline

Publicly Published

2022-01-03 (about 2 years ago)

Added

2022-01-03 (about 2 years ago)

Last Updated

2022-04-16 (about 2 years ago)

Other

Published

Title

Published

2023-11-07

Title

WPDBSpringClean <= 1.6 - Reflected XSS

Published

2024-03-29

Title

Ultimate Social Comments – Email Notification & Lazy Load <= 1.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-07-21

Title

Google Language Translator < 6.0.10 - Authenticated Cross-Site Scripting (XSS)

Published

2017-01-16

Title

Event Notifier < 1.2.1 - XSS

Published

2024-03-29

Title

GetResponse for WordPress <= 5.5.35 - Contributor+ Stored XSS