0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Fancy Product Designer For WooCommerce Cross Site Scripting Vulnerability
## About Fancy Product Designer for WooCommerce Fancy Product Designer for WooCommerce is a WordPress plugin which allows users to design custom products in a vendor's WooCommerce store. It is sold through the third-party marketplace "Envato Market" and boasts over 15,000 sales. ## Stored XSS via SVG upload Fancy Product Designer for WooCommerce before version 4.5.1 permits the upload of unsanitized SVG files by unauthenticated users. SVG files can contain JavaScript which will be executed by the browser if the malicious SVG is accessed directly. This JavaScript will run in the context of the affected domain and logged in user. The "Require Login" setting in FPD before version 4.5.1 does not succeed in requiring users to be logged in to upload files, meaning any unauthenticated user can exploit this vulnerability. ### Details To exploit this vulnerability, an attacker needs to upload a specially crafted SVG using Fancy Product Designer and convince a logged-in user or admin to access the SVG. Once accessed, the browser will execute the JavaScript payload in the context of the user or admin on the affected domain. ### Impact This vulnerability can result in the takeover of any user's account on the affected domain. If an SVG containing a stored XSS payload is opened by a logged in administrator, it could lead to the compromise of the entire site. If opened by an anonymous user, it could attempt to phish the user's credentials by imitating a WordPress login page. SVGs accessed in this way can trivially read out current `_wpnonce` values, giving an attacker unfettered access to the entire WordPress API of an affected site. ### Proof of Concept - Account takeover SVG: [change-user-email.svg](https://github.com/jdgregson/Disclosures/blob/master/fancy-product-designer/stored-xss-via-svg-upload/change-user-email.svg) - Demo video: [stored-xss-account-takover.mp4](https://raw.githubusercontent.com/jdgregson/Disclosures/master/fancy-product-designer/stored-xss-via-svg-upload/stored-xss-account-takover.mp4) ### Disclosure Timeline - 10/10/2020: issue reported via ticket on developer's support form - 10/11/2020: developer responded discussing potential mitigations - 10/20/2020: developer released an update which did not address the issue - 10/26/2020: developer released an update which addressed the issue by only allowing a subset of tags and attributes in uploaded SVGs - 11/15/2020: full disclosure # 0day.today [2024-12-25] #