CVE-2026-48973

SVG Support <= 2.5.14 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.5.15
Patched in
6d
Time to patch

Description

The SVG Support plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.14. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.5.14
PublishedMay 27, 2026
Last updatedJune 1, 2026
Affected pluginsvg-support

What Changed in the Fix

Changes introduced in v2.5.15

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-48973 ## 1. Vulnerability Summary The **SVG Support** plugin (<= 2.5.14) contains a **Missing Authorization** vulnerability in its AJAX handler for toggling the "inline" status of featured images. The function `bodhi_svgs_featured_image_inline_toggle` perform…

Show full research plan

Exploitation Research Plan - CVE-2026-48973

1. Vulnerability Summary

The SVG Support plugin (<= 2.5.14) contains a Missing Authorization vulnerability in its AJAX handler for toggling the "inline" status of featured images. The function bodhi_svgs_featured_image_inline_toggle performs a generic capability check (edit_posts) rather than a specific check against the targeted Post ID (edit_post, $post_id).

This allows any authenticated user with the edit_posts capability (Contributors and above) to modify the inline_featured_image metadata for any post on the site, regardless of ownership.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: bodhi_svgs_featured_image_inline_toggle
  • Method: POST
  • Required Capability: edit_posts (Contributor role or higher)
  • Parameters:
    • action: bodhi_svgs_featured_image_inline_toggle
    • nonce: A valid WordPress nonce for the action svg-support-featured
    • post_id: The ID of the target post (e.g., an Administrator's post)
    • checked: The string 'true' or 'false' to set the meta value

3. Code Flow

The vulnerability is located in functions/featured-image.php.

  1. Registration: The AJAX actions are registered for both logged-in and logged-out users (though the handler itself requires login):
    add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');
    add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');
    
  2. The Handler: bodhi_svgs_featured_image_inline_toggle() is called.
  3. Nonce Verification: It checks a nonce against the action svg-support-featured.
  4. Flawed Authorization: It checks if the current user can edit_posts:
    if (!current_user_can('edit_posts')) {
        wp_send_json_error('Insufficient permissions');
    }
    
    Vulnerability: Since a Contributor possesses the edit_posts capability, this check passes even if the $post_id belongs to an Administrator.
  5. Execution: The function calls bodhi_svgs_update_featured_image_meta($post_id, $checked), which performs delete_post_meta and add_post_meta on the target ID without further validation.

4. Nonce Acquisition Strategy

The nonce for the action svg-support-featured is required. Since the specific wp_localize_script call is not in the provided snippets (likely in admin/admin-init.php), we must locate it in the WordPress Admin environment.

  1. Access Post Edit Screen: Log in as a Contributor and navigate to the "New Post" page (/wp-admin/post-new.php).
  2. Search for Nonce: The plugin likely localizes the nonce for its Gutenberg filters or admin scripts. We will use browser_eval to search for the nonce in the global window object or the page source.
  3. Command:
    // Potential locations based on plugin naming conventions
    window.bodhi_svgs_admin_vars?.nonce || 
    window.svg_support_admin?.nonce || 
    document.documentElement.innerHTML.match(/"nonce":"([a-f0-9]{10})"/)[1]
    

5. Exploitation Strategy

Step 1: Target Identification

Determine the Post ID of a target post owned by an Administrator (e.g., Post ID 1).

Step 2: Session Setup

Authenticate as a Contributor.

Step 3: Nonce Harvest

Navigate to /wp-admin/post-new.php and extract the nonce for svg-support-featured.

Step 4: Unauthorized Meta Update

Send an AJAX request to update the Administrator's post.

Request Details:

  • URL: http://vulnerable-wp.local/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=bodhi_svgs_featured_image_inline_toggle&nonce=[EXTRACTED_NONCE]&post_id=1&checked=true
    

6. Test Data Setup

  1. Plugin Configuration:
    • Ensure "Advanced Mode" is enabled (via WP-CLI or Settings).
    • wp option update bodhi_svgs_settings --format=json '{"advanced_mode":"on"}' (Note: internal key name inferred, verify via wp option get).
  2. Users:
    • Administrator: admin_user
    • Contributor: attacker_user
  3. Content:
    • Create a post as Administrator: wp post create --post_author=1 --post_title="Admin Post" --post_status=publish (Note the ID, e.g., 123).

7. Expected Results

  • The AJAX request should return a JSON success message: {"success":true}.
  • The inline_featured_image metadata for the target Post ID will be updated.

8. Verification Steps

After the attack, use WP-CLI to verify the metadata change for the Administrator's post:

wp post meta get 123 inline_featured_image
# Expected output: 1

9. Alternative Approaches

If the AJAX nonce is difficult to find, check the REST API vector. The plugin registers meta with auth_callback => '__return_true':

register_meta( 'post', 'inline_featured_image', array(
    'show_in_rest' => true,
    'single' => true,
    'type' => 'boolean',
    'auth_callback' => '__return_true'
) );

While WordPress core usually prevents a Contributor from updating an Admin's post via POST /wp/v2/posts/<id>, the __return_true callback in register_meta might allow modification if the plugin provides a custom REST controller or if other filters are present. However, the AJAX bodhi_svgs_featured_image_inline_toggle function is the most direct and confirmed vulnerable path.

Research Findings
Static analysis — not yet PoC-verified

Summary

The SVG Support plugin for WordPress (<= 2.5.14) is vulnerable to unauthorized metadata modification due to a missing specific capability check in its AJAX handler for toggling the 'inline' status of featured images. Authenticated attackers with contributor-level access or higher can modify the 'inline_featured_image' meta for any post on the site, potentially affecting site layout or behavior for arbitrary content.

Vulnerable Code

// functions/featured-image.php line 134
function bodhi_svgs_featured_image_inline_toggle() {
    // Verify nonce and permissions
    if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'svg-support-featured')) {
        wp_send_json_error('Invalid nonce');
    }

    if (!current_user_can('edit_posts')) {
        wp_send_json_error('Insufficient permissions');
    }

    // Validate and sanitize input
    if (!isset($_POST['post_id']) || !isset($_POST['checked'])) {
        wp_send_json_error('Missing parameters');
    }

    $post_id = intval($_POST['post_id']);
    $checked = ($_POST['checked'] === 'true');

    // Update the meta safely
    bodhi_svgs_update_featured_image_meta($post_id, $checked);

    wp_send_json_success();
}

// Hook the AJAX actions for both logged-in and non-logged-in users
add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');
add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/svg-support/2.5.14/functions/featured-image.php	2025-02-25 08:34:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/svg-support/2.5.15/functions/featured-image.php	2026-05-30 07:48:28.000000000 +0000
@@ -132,15 +132,11 @@
  * Handle the AJAX request for updating featured image inline status
  */
 function bodhi_svgs_featured_image_inline_toggle() {
-    // Verify nonce and permissions
+    // Verify nonce
     if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'svg-support-featured')) {
         wp_send_json_error('Invalid nonce');
     }
 
-    if (!current_user_can('edit_posts')) {
-        wp_send_json_error('Insufficient permissions');
-    }
-
     // Validate and sanitize input
     if (!isset($_POST['post_id']) || !isset($_POST['checked'])) {
         wp_send_json_error('Missing parameters');
@@ -149,12 +145,16 @@
     $post_id = intval($_POST['post_id']);
     $checked = ($_POST['checked'] === 'true');
 
+    // Verify the current user can edit this specific post
+    if (!current_user_can('edit_post', $post_id)) {
+        wp_send_json_error('Insufficient permissions');
+    }
+
     // Update the meta safely
     bodhi_svgs_update_featured_image_meta($post_id, $checked);
 
     wp_send_json_success();
 }
 
-// Hook the AJAX actions for both logged-in and non-logged-in users
-add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');
-add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\
 No newline at end of file
+// Hook the AJAX action for logged-in users only
+add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\
 No newline at end of file

Exploit Outline

To exploit this vulnerability, an attacker requires a Contributor-level account to pass the initial `edit_posts` capability check. First, the attacker identifies a target Post ID (e.g., an Administrator's post). Next, the attacker harvests a valid AJAX nonce for the 'svg-support-featured' action, which is typically found within the WordPress admin dashboard scripts (like `wp-admin/post-new.php`). Finally, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the action set to `bodhi_svgs_featured_image_inline_toggle`, the target `post_id`, the extracted `nonce`, and a `checked` parameter set to 'true' or 'false'. Because the plugin fails to check if the user can edit the specific post ID, the metadata modification is performed on the target post.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.