Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Fancy Product Designer For WooCommerce Cross Site Scripting

🗓️ 18 Nov 2020 00:00:00Reported by Jonathan GregsonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 580 Views

WordPress Fancy Product Designer For WooCommerce Cross Site Scripting vulnerability in SVG upload can lead to account takeover and compromise of entire site. Third-party marketplace "Envato Market

Code
`## About Fancy Product Designer for WooCommerce  
Fancy Product Designer for WooCommerce is a WordPress plugin which allows users to design custom products in a vendor's WooCommerce store. It is sold through the third-party marketplace "Envato Market" and boasts over 15,000 sales.  
  
## Stored XSS via SVG upload  
Fancy Product Designer for WooCommerce before version 4.5.1 permits the upload of unsanitized SVG files by unauthenticated users. SVG files can contain JavaScript which will be executed by the browser if the malicious SVG is accessed directly. This JavaScript will run in the context of the affected domain and logged in user.  
  
The "Require Login" setting in FPD before version 4.5.1 does not succeed in requiring users to be logged in to upload files, meaning any unauthenticated user can exploit this vulnerability.  
  
### Details  
To exploit this vulnerability, an attacker needs to upload a specially crafted SVG using Fancy Product Designer and convince a logged-in user or admin to access the SVG. Once accessed, the browser will execute the JavaScript payload in the context of the user or admin on the affected domain.  
  
### Impact  
This vulnerability can result in the takeover of any user's account on the affected domain. If an SVG containing a stored XSS payload is opened by a logged in administrator, it could lead to the compromise of the entire site. If opened by an anonymous user, it could attempt to phish the user's credentials by imitating a WordPress login page.  
  
SVGs accessed in this way can trivially read out current `_wpnonce` values, giving an attacker unfettered access to the entire WordPress API of an affected site.  
  
### Proof of Concept  
- Account takeover SVG: [change-user-email.svg](https://github.com/jdgregson/Disclosures/blob/master/fancy-product-designer/stored-xss-via-svg-upload/change-user-email.svg)  
- Demo video: [stored-xss-account-takover.mp4](https://raw.githubusercontent.com/jdgregson/Disclosures/master/fancy-product-designer/stored-xss-via-svg-upload/stored-xss-account-takover.mp4)  
  
### Disclosure Timeline  
- 10/10/2020: issue reported via ticket on developer's support form  
- 10/11/2020: developer responded discussing potential mitigations  
- 10/20/2020: developer released an update which did not address the issue  
- 10/26/2020: developer released an update which addressed the issue by only allowing a subset of tags and attributes in uploaded SVGs  
- 11/15/2020: full disclosure  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Nov 2020 00:00Current
7High risk
Vulners AI Score7
wordpressfancy product designerwoocommercecross site scriptingsvg uploadenvato marketaccount takeoverfull disclosure
580