CVE-2019-14216 – svg-vector-icon-plugin WordPress plugin vulnerable to CSRF and Arbitrary File Upload leading to Remote Code Execution

Plugin Homepage: https://wordpress.org/plugins/svg-vector-icon-plugin/

Endpoint: /wp-admin/admin.php?page=wp-svg-icons-custom-set

WP SVG Icons allows admins to upload “Custom Icon” sets within the plugin, however it fails to stop CSRF and subsequently leads to Arbitrary File Upload vulnerability, as the .zip package that gets uploaded has no content checks so a POC or shell can be put into the zip and will be unzipped into the /wp-content/uploads/wp-svg-icons/custom-pack directory.

The following POC is the CSRF with a zip file containing “test.php” which invokes phpinfo(). If successful, RCE will be confirmed here: /wp-content/uploads/wp-svg-icons/custom-pack/test.php

CVE-2019-12934 – wp-code-highlightjs WordPress Plugin CSRF leads to blog-wide injected script/HTML

An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.

wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF,  as demonstrated by an XSS payload in the hljs_additional_css parameter.

An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.

Proof of Concept:

where poc.js could be a payload similar to:

https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js