H5P < 1.15.8 – Contributor+ Stored XSS | CVE 2024-3111 | Plugin Vulnerabilities

Description

The plugin does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues

Proof of Concept

1. Upload an H5P archive containing a malicious SVG file w/an XSS
2. Example: https://drive.google.com/file/d/1DNZmv-at_HPtDeYr8ExjRrekHSUOaGzh/view?usp=sharing
3. Once the upload is finished, users will be able to access the malicious SVG directly, triggering an XSS

Affects Plugins

Fixed in 1.15.8

References

CVE

URL

https://research.cleantalk.org/cve-2024-3111/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

7c39f3b5-d407-4eb0-aa34-b498fe196c55

Timeline

Publicly Published

2024-06-06 (about 1 year ago)

Added

2024-06-06 (about 1 year ago)

Last Updated

2024-06-26 (about 1 year ago)

Other

Published

Title

Published

2025-01-29

Title

WP Image Uploader <= 1.0.1 - Reflected Cross-Site Scripting

Published

2023-09-25

Title

AcyMailing SMTP Newsletter < 8.6.3 - Reflected XSS

Published

2024-10-01

Title

Reservit Hotel < 3.0 - Admin+ Stored XSS

Published

2024-01-05

Title

Mapster WP Maps < 1.2.39 - Contributor+ Stored XSS

Published

2025-02-27

Title

WOW Entrance Effects (WEE!) <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting