SVG Support <= 2.5.14 - Missing Authorization
Description
The SVG Support plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.14. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.5.15
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-48973 ## 1. Vulnerability Summary The **SVG Support** plugin (<= 2.5.14) contains a **Missing Authorization** vulnerability in its AJAX handler for toggling the "inline" status of featured images. The function `bodhi_svgs_featured_image_inline_toggle` perform…
Show full research plan
Exploitation Research Plan - CVE-2026-48973
1. Vulnerability Summary
The SVG Support plugin (<= 2.5.14) contains a Missing Authorization vulnerability in its AJAX handler for toggling the "inline" status of featured images. The function bodhi_svgs_featured_image_inline_toggle performs a generic capability check (edit_posts) rather than a specific check against the targeted Post ID (edit_post, $post_id).
This allows any authenticated user with the edit_posts capability (Contributors and above) to modify the inline_featured_image metadata for any post on the site, regardless of ownership.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
bodhi_svgs_featured_image_inline_toggle - Method:
POST - Required Capability:
edit_posts(Contributor role or higher) - Parameters:
action:bodhi_svgs_featured_image_inline_togglenonce: A valid WordPress nonce for the actionsvg-support-featuredpost_id: The ID of the target post (e.g., an Administrator's post)checked: The string'true'or'false'to set the meta value
3. Code Flow
The vulnerability is located in functions/featured-image.php.
- Registration: The AJAX actions are registered for both logged-in and logged-out users (though the handler itself requires login):
add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle'); add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle'); - The Handler:
bodhi_svgs_featured_image_inline_toggle()is called. - Nonce Verification: It checks a nonce against the action
svg-support-featured. - Flawed Authorization: It checks if the current user can
edit_posts:
Vulnerability: Since a Contributor possesses theif (!current_user_can('edit_posts')) { wp_send_json_error('Insufficient permissions'); }edit_postscapability, this check passes even if the$post_idbelongs to an Administrator. - Execution: The function calls
bodhi_svgs_update_featured_image_meta($post_id, $checked), which performsdelete_post_metaandadd_post_metaon the target ID without further validation.
4. Nonce Acquisition Strategy
The nonce for the action svg-support-featured is required. Since the specific wp_localize_script call is not in the provided snippets (likely in admin/admin-init.php), we must locate it in the WordPress Admin environment.
- Access Post Edit Screen: Log in as a Contributor and navigate to the "New Post" page (
/wp-admin/post-new.php). - Search for Nonce: The plugin likely localizes the nonce for its Gutenberg filters or admin scripts. We will use
browser_evalto search for the nonce in the globalwindowobject or the page source. - Command:
// Potential locations based on plugin naming conventions window.bodhi_svgs_admin_vars?.nonce || window.svg_support_admin?.nonce || document.documentElement.innerHTML.match(/"nonce":"([a-f0-9]{10})"/)[1]
5. Exploitation Strategy
Step 1: Target Identification
Determine the Post ID of a target post owned by an Administrator (e.g., Post ID 1).
Step 2: Session Setup
Authenticate as a Contributor.
Step 3: Nonce Harvest
Navigate to /wp-admin/post-new.php and extract the nonce for svg-support-featured.
Step 4: Unauthorized Meta Update
Send an AJAX request to update the Administrator's post.
Request Details:
- URL:
http://vulnerable-wp.local/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=bodhi_svgs_featured_image_inline_toggle&nonce=[EXTRACTED_NONCE]&post_id=1&checked=true
6. Test Data Setup
- Plugin Configuration:
- Ensure "Advanced Mode" is enabled (via WP-CLI or Settings).
wp option update bodhi_svgs_settings --format=json '{"advanced_mode":"on"}'(Note: internal key name inferred, verify viawp option get).
- Users:
- Administrator:
admin_user - Contributor:
attacker_user
- Administrator:
- Content:
- Create a post as Administrator:
wp post create --post_author=1 --post_title="Admin Post" --post_status=publish(Note the ID, e.g.,123).
- Create a post as Administrator:
7. Expected Results
- The AJAX request should return a JSON success message:
{"success":true}. - The
inline_featured_imagemetadata for the target Post ID will be updated.
8. Verification Steps
After the attack, use WP-CLI to verify the metadata change for the Administrator's post:
wp post meta get 123 inline_featured_image
# Expected output: 1
9. Alternative Approaches
If the AJAX nonce is difficult to find, check the REST API vector. The plugin registers meta with auth_callback => '__return_true':
register_meta( 'post', 'inline_featured_image', array(
'show_in_rest' => true,
'single' => true,
'type' => 'boolean',
'auth_callback' => '__return_true'
) );
While WordPress core usually prevents a Contributor from updating an Admin's post via POST /wp/v2/posts/<id>, the __return_true callback in register_meta might allow modification if the plugin provides a custom REST controller or if other filters are present. However, the AJAX bodhi_svgs_featured_image_inline_toggle function is the most direct and confirmed vulnerable path.
Summary
The SVG Support plugin for WordPress (<= 2.5.14) is vulnerable to unauthorized metadata modification due to a missing specific capability check in its AJAX handler for toggling the 'inline' status of featured images. Authenticated attackers with contributor-level access or higher can modify the 'inline_featured_image' meta for any post on the site, potentially affecting site layout or behavior for arbitrary content.
Vulnerable Code
// functions/featured-image.php line 134 function bodhi_svgs_featured_image_inline_toggle() { // Verify nonce and permissions if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'svg-support-featured')) { wp_send_json_error('Invalid nonce'); } if (!current_user_can('edit_posts')) { wp_send_json_error('Insufficient permissions'); } // Validate and sanitize input if (!isset($_POST['post_id']) || !isset($_POST['checked'])) { wp_send_json_error('Missing parameters'); } $post_id = intval($_POST['post_id']); $checked = ($_POST['checked'] === 'true'); // Update the meta safely bodhi_svgs_update_featured_image_meta($post_id, $checked); wp_send_json_success(); } // Hook the AJAX actions for both logged-in and non-logged-in users add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle'); add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');
Security Fix
@@ -132,15 +132,11 @@ * Handle the AJAX request for updating featured image inline status */ function bodhi_svgs_featured_image_inline_toggle() { - // Verify nonce and permissions + // Verify nonce if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'svg-support-featured')) { wp_send_json_error('Invalid nonce'); } - if (!current_user_can('edit_posts')) { - wp_send_json_error('Insufficient permissions'); - } - // Validate and sanitize input if (!isset($_POST['post_id']) || !isset($_POST['checked'])) { wp_send_json_error('Missing parameters'); @@ -149,12 +145,16 @@ $post_id = intval($_POST['post_id']); $checked = ($_POST['checked'] === 'true'); + // Verify the current user can edit this specific post + if (!current_user_can('edit_post', $post_id)) { + wp_send_json_error('Insufficient permissions'); + } + // Update the meta safely bodhi_svgs_update_featured_image_meta($post_id, $checked); wp_send_json_success(); } -// Hook the AJAX actions for both logged-in and non-logged-in users -add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle'); -add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\ No newline at end of file +// Hook the AJAX action for logged-in users only +add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\ No newline at end of file
Exploit Outline
To exploit this vulnerability, an attacker requires a Contributor-level account to pass the initial `edit_posts` capability check. First, the attacker identifies a target Post ID (e.g., an Administrator's post). Next, the attacker harvests a valid AJAX nonce for the 'svg-support-featured' action, which is typically found within the WordPress admin dashboard scripts (like `wp-admin/post-new.php`). Finally, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the action set to `bodhi_svgs_featured_image_inline_toggle`, the target `post_id`, the extracted `nonce`, and a `checked` parameter set to 'true' or 'false'. Because the plugin fails to check if the user can edit the specific post ID, the metadata modification is performed on the target post.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.