CVE-2024-10790

Vulnerability

The Admin and Site Enhancements (ASE) plugin for WordPress versions up to and including 7.5.1 is vulnerable to Stored Cross-Site Scripting (XSS) via SVG file uploads. The vulnerability exists due to insufficient input sanitization and output escaping in the SVG upload functionality. The feature must be enabled and configured for specific user roles to be exploitable. [1]

Exploitation

An authenticated attacker with custom-level access or above can upload a malicious SVG file containing JavaScript code. The uploaded SVG will be stored on the server and will execute in the browser of any user accessing the file. No additional privileges beyond the required role are needed. The attacker must have the ability to upload SVG files, which requires the feature to be enabled for their role.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts into pages. When a user views the SVG file, the injected script executes in the context of the user's browser, leading to potential information disclosure, session hijacking, or other client-side attacks. The impact is limited to users who access the malicious SVG file.

Mitigation

The vulnerability has been addressed in a later version of the plugin; users should update to version 7.5.2 or higher. The current version as per the plugin repository is 8.8.0 [1]. Users should ensure the plugin is updated to the latest version to mitigate this vulnerability.