Rizacan TufanWPVDB-ID:524928D6-D4E9-4A2F-B410-46958DA549D8TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
The plugin does not validate and sanitise task’s attachments, which could allow any authenticated user (such as subscriber) creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file
PoC
Create a SVG with the following content: As any authenticated user, such as subscriber: - Go to http://vuln.local/wp-admin/admin.php?page=wppm-tasks - Choose any tasks (create one if there aren’t any) - Focus on “Write a comment”. - Click on “Attach Files” and select the SVG created above - Click on “Send”. - View the attached SVG by clicking on its URL (https://example.com/?wppm_attachment=86&tid;=1&tac;=OtjI9JpnQU), which will trigger the XSS
| CPE | Name | Operator | Version |
|---|---|---|---|
| taskbuilder | lt | 1.0.8 |
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N