SVG Block < 1.1.20 – Author+ Stored XSS via SVG File Upload | CVE 2024-4269 | Plugin Vulnerabilities

Description

The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

Proof of Concept

1. Create a SVG file with the malicious payload within it; Example SVG file: https://github.com/codesecure-org/xss-svg/blob/main/1.svg?short_path=97b023c
2. As a user with the Author role, go to the "Media" page and upload the SVG file
3. Access the uploaded file directly
4. You will see the XSS

Affects Plugins

Fixed in 1.1.20

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rayhan Ramdhany Hanaputra

Submitter

Rayhan Ramdhany Hanaputra

Submitter twitter

Verified

Yes

WPVDB ID

8aae7aa1-6170-45d8-903f-8520913276da

Timeline

Publicly Published

2024-06-22 (about 1 year ago)

Added

2024-06-22 (about 1 year ago)

Last Updated

2024-06-22 (about 1 year ago)

Other

Published

Title

Published

2023-06-15

Title

MasterStudy LMS < 3.0.9 - Contributor+ Stored XSS

Published

2024-03-11

Title

WooCommerce Product Filter < 1.4.4 - Admin+ Stored XSS

Published

2022-02-28

Title

SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting

Published

2025-03-31

Title

Ethiopian Calendar <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-05

Title

Login Logo Editor <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting