Robert Rowley at Patchstack explains what I believe is the first-ever reported vulnerability in Gutenberg (the plugin, not in WordPress core) to make the National Vulnerability Database. Robert has opened an issue for discussion in the Gutenberg GitHub repo that has a good quick summary of the vulnerability. It appears to be only a theoretical vulnerability. To exploit it, an attacker would need the ability to create content in WordPress along with other conditions. As Robert explains:
Gutenberg allows users to click “insert URL” and paste in a remote URL that points to an SVG file. Gutenberg then uses that value in the
Safely handling SVG via “Insert URL” (Discussion around CVE-2022-33994) #43039<img>tag when generating the HTML. SVG files may contain javascript, which makes them a security concern similar to XSS.
There is no immediate risk of this vulnerability being exploited in the wild, so it represents a theoretical security concern that might help shape future development around SVGs in WordPress.
Notably, this theoretical vulnerability was discovered by Jitendra Patro, a software developer and WordPress user. Jitendra found the vulnerability in his own pentesting and has shared all the details on his blog. As a self-described WordPress enthusiast, Jitendra has had it as a goal to find a vulnerability in WordPress. That might seem like strange fan behavior outside open source, but it’s actually a high compliment.
While closed source SaaS platforms seldom get their security issues aired widely in public, when they’re massive like this recent one at Twitter, it’s hard to hide.
