WP SVG Images < 3.4 – Authenticated (author+) Stored XSS via SVG | CVE 2021-24386

Description

The plugin did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended.

Proof of Concept

As an author, upload a malicious SVG and then access it directly (ie https://example.com/wp-content/uploads/2021/06/xss.svg) to trigger the XSS

Affects Plugins

wp-svg-images

Fixed in 3.4

References

CVE

CVE-2021-24386

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Rasi

Submitter

Afeef

Verified

Yes

WPVDB ID

e9b48b19-14cc-41ad-a029-f7f9ae236e4e

Timeline

Publicly Published

2021-06-14 (about 2 years ago)

Added

2021-06-14 (about 2 years ago)

Last Updated

2021-06-25 (about 2 years ago)

Other

Published

Title

Published

2024-03-22

Title

Page Builder by SiteOrigin < 2.29.7 - Contributor+ Stored XSS

Published

2022-01-26

Title

WP RSS Aggregator < 4.20 - Reflected Cross-Site Scripting (XSS)

Published

2014-08-01

Title

Occasions 1.0.4 - occasions/occasions.php occ_content1 Parameter XSS

Published

2022-02-10

Title

Social Media Feather < 2.0.5 - Admin+ Stored Cross-Site Scripting

Published

2022-11-17

Title

Chameleon < 1.4.4 - Admin+ Stored XSS