WordPress Plugin Vulnerabilities
SVG Support < 2.5 - Author+ Stored Cross-Site Scripting
Description
The plugin does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks
Proof of Concept
Settings used: Restrict to Administrators? (true), Enable Advanced Mode? (true), Sanitize SVG (true), CSS Class to target (empty or style-svg) As an author, create a post with an image in it, set the image to be loaded via an URL and put the URL to an SVG (such as https://example.com/xss.svg. If the file is not on the same domain than the blog, make sure CORS is enabled on that other host). Then go to the image block Advanced settings and set 'style-svg' in the "Additional CSS class(es)" field. Publish/update the post and move the mouse over the SVG to trigger the XSS Example of SVG: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/sv g11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onmouseover="alert(/XSS/)"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg>
Affects Plugins
Fixed in 2.5 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chafik Amraoui
Submitter
Chafik Amraoui
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-05 (about 1 years ago)
Added
2022-09-05 (about 1 years ago)
Last Updated
2022-09-05 (about 1 years ago)
WPScan 