WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

SVG Support < 2.5 - Author+ Stored Cross-Site Scripting

Description

The plugin does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks

Proof of Concept

Settings used: Restrict to Administrators? (true), Enable Advanced Mode? (true), Sanitize SVG (true), CSS Class to target (empty or style-svg)

As an author, create a post with an image in it, set the image to be loaded via an URL and put the URL to an SVG (such as https://example.com/xss.svg. If the file is not on the same domain than the blog, make sure CORS is enabled on that other host). Then go to the image block Advanced settings and set 'style-svg' in the "Additional CSS class(es)" field.

Publish/update the post and move the mouse over the SVG to trigger the XSS

Example of SVG:
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/sv
g11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onmouseover="alert(/XSS/)">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
</svg>

Affects Plugins

svg-support
Fixed in version 2.5

References

CVE
CVE-2022-1755

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Chafik Amraoui

Submitter

Chafik Amraoui

Submitter website
https://chafik.info
Submitter twitter
Chafikamr
Verified

Yes

WPVDB ID
62b2548e-6b59-48b8-b1c2-9bd47e634982

Timeline

Publicly Published

2022-09-05 (about 8 months ago)

Added

2022-09-05 (about 8 months ago)

Last Updated

2022-09-05 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin