I have enabled SVG uploading for my WordPress logo using the answer provided on this stack link, despite having read, in numerous places, that SVG support in a WordPress site opens it up to scripting attacks. Here is just one such source:
For what security reasons are svgs blocked in the media uploader?
My question is three-fold:
1) As I understand it, the hack I used (based on the above link) allows me to upload SVGs for the logo. Does that also mean that end-users (non-admins) can upload malicious SVGs that can do real damage to my site if I allow them to upload files?
2) If it does allow users to upload malicious SVG files, is there any other code I can use to defend my site from attacks?
3) If there is a vulnerability introduced by the SVG fix I used, what sort of damage could a hacker do? What kind of commands would need to happen to trigger the malicious scripts?
Thanks!
2 s
This article has a bunch of great answers to your questions. I highly recommend checking it out to learn more about the scale of this issue, but I can give a quick rundown.
SVG, since it’s XML based, makes it really hard to decipher what is and what isn’t malicious. At one end, it opens you up to XSS attacks, and at the other, it could actually serve up a DoS attack.
He makes a reference to this WordPress Trac Ticket discussing SVG security for a long time, with seemingly no end in site.
Anyway, to answer your questions:
-
My gut reaction is no, but truly it depends on what your end users are able to do. If they don’t have access to upload anything, then you’re fine. If they do, then it depends on what you’re using to parse your front-end file upload system. Mostly it’s about actual WP users that have the ability to upload things and how fully you trust them not to upload something malicious.
-
There’s a plugin called Safe SVG based on a library called SVG Sanitizer. Check the readme on both to get a better understanding as to what it can/can’t prevent.
-
The damage could be anything from skimming information to taking down your hosting server. I refer you back to the original article I linked to. The depth of what could happen when you open an SVG is pretty open ended.
SVGs are the future and I use them on every site I build, but I usually don’t allow them to be uploaded if only because they usually can be hard-coded in the theme.
I have allowed SVG uploads on sites that need to be more fluid, but I think I can appreciate the idea that it’s not enabled by default since I can count on one hand the number of times it’s actually been necessary.