SVG Support < 2.5 – Author+ Stored Cross-Site Scripting | CVE 2022-1755

Description

The plugin does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks

Proof of Concept

Settings used: Restrict to Administrators? (true), Enable Advanced Mode? (true), Sanitize SVG (true), CSS Class to target (empty or style-svg)

As an author, create a post with an image in it, set the image to be loaded via an URL and put the URL to an SVG (such as https://example.com/xss.svg. If the file is not on the same domain than the blog, make sure CORS is enabled on that other host). Then go to the image block Advanced settings and set 'style-svg' in the "Additional CSS class(es)" field.

Publish/update the post and move the mouse over the SVG to trigger the XSS

Example of SVG:
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/sv
g11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onmouseover="alert(/XSS/)">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
</svg>