Sploit.io - Search

Product: R Animated Icon Plugin, version: >= *, <= 1.0

CVE-2024-9272

Severity: MEDIUM

Description: The R Animated Icon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS Score: 6.4

Priority

B

CISA Data

EPSS Data

  • EPSS: 0.000450000
  • Percentile: 0.160050000
  • Date: 2025-01-20

ExploitDB

No data available.

HackerOne Data

  • Rank: 7457
  • Reports submitted count: 0
  • Unknown: 0
  • None: 0
  • Low: 0
  • Medium: 0
  • High: 0
  • Critical: 0

GitHub PoCs

    Nuclei Templates

    No data available.

    PacketStorm

    View PacketStorm Entry

    VulnCheck Data

    Affected Products:

    • mascotdevelopers R Animated Icon Plugin - Versions: *

    References:

    Risk Assessment

    1. Risk Assessment
    The vulnerability identified as CVE-2024-9272 is a Stored Cross-Site Scripting (XSS) issue in the R Animated Icon Plugin for WordPress, affecting all versions up to and including 1.0. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with Author-level access or higher to upload malicious SVG files containing arbitrary web scripts. These scripts execute when a user accesses the uploaded SVG file, potentially leading to unauthorized actions, data theft, or session hijacking.

    The CVSS v3.1 base score of 6.4 (MEDIUM) reflects the moderate risk level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and demands low privileges (PR:L). The scope is changed (S:C), meaning the vulnerability can impact resources beyond the vulnerable component. The impact is partial on confidentiality (C:L) and integrity (I:L), with no direct impact on availability (A:N).

    The likelihood of exploitation is moderate, as it requires an attacker to have Author-level access, which limits the pool of potential attackers. However, the ease of exploitation is high once access is obtained, as the vulnerability does not require advanced technical skills to exploit. The business impact includes potential reputational damage, unauthorized data access, and manipulation of website content, which could affect user trust and compliance with data protection regulations.

    2. Potential Attack Scenarios
    An attacker with Author-level access to a WordPress site using the R Animated Icon Plugin could exploit this vulnerability by uploading a malicious SVG file containing embedded JavaScript. For example, the attacker could craft an SVG file with a script designed to steal session cookies or redirect users to a phishing site. Once uploaded, the malicious SVG file is stored on the server.

    When a legitimate user, such as an administrator or visitor, accesses the page where the SVG file is displayed, the embedded script executes in their browser. This could lead to session hijacking, where the attacker gains access to the user’s account, or data exfiltration, where sensitive information is sent to the attacker’s server. The attacker could also deface the website or inject additional malicious content, further compromising the site’s integrity and user trust.

    3. Mitigation Recommendations
    Immediate action is required to mitigate this vulnerability. The following steps are recommended:
    - Update the R Animated Icon Plugin to a version beyond 1.0 if a patch is available. If no patch is available, consider disabling or removing the plugin until a fix is released.
    - Implement strict input validation and output escaping for all user-uploaded files, particularly SVG files, to prevent malicious script execution.
    - Restrict file upload permissions to trusted users only and monitor file uploads for suspicious activity.
    - Regularly audit user accounts and permissions to ensure that only necessary users have Author-level access or higher.
    - Use a web application firewall (WAF) to detect and block malicious file uploads and XSS attempts.

    For further guidance, refer to the following resources:
    - Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/56fd8166-da22-4a0b-a23f-41817acba6df?source=cve
    - WordPress Plugin Directory: https://wordpress.org/plugins/r-animated-icon/#developers

    4. Executive Summary
    CVE-2024-9272 is a medium-risk vulnerability in the R Animated Icon Plugin for WordPress, allowing authenticated attackers with Author-level access to upload malicious SVG files that execute arbitrary scripts. This could lead to unauthorized data access, session hijacking, or website defacement, impacting user trust and compliance.

    While exploitation requires Author-level access, the ease of exploitation and potential business impact make this a significant concern. Immediate action is recommended, including updating the plugin, restricting file upload permissions, and implementing additional security measures such as input validation and a web application firewall. Addressing this vulnerability promptly will help protect your website’s integrity, user data, and reputation.