SVG Support < 2.3.20 – Admin+ Stored Cross-Site Scripting | CVE 2021-24686

Description

The plugin does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

With the Advanced Mode enabled, put the following payload in the "CSS Class to target" setting: "><script>alert(/XSS/)</script>

Affects Plugins

svg-support

Fixed in 2.3.20

References

CVE

CVE-2021-24686

URL

https://plugins.trac.wordpress.org/changeset/2651929

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

shivam24rai

Verified

Yes

WPVDB ID

38018695-901d-48d9-b39a-7c00df7f0a4b

Timeline

Publicly Published

2022-01-03 (about 3 years ago)

Added

2022-01-03 (about 3 years ago)

Last Updated

2022-04-16 (about 3 years ago)

Other

Published

Title

Published

2025-04-18

Title

SB Chart block < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

Published

2022-01-14

Title

RSVP and Event Management < 2.7.5 - Reflected Cross-Site Scripting

Published

2024-05-21

Title

Piotnet Addons For Elementor < 2.4.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Attributes

Published

2015-06-14

Title

Content Grabber 1.0 - Cross-Site Scripting (XSS)

Published

2024-01-09

Title

Contact Form 7 Connector < 1.2.3 - Reflected XSS