I have enabled SVG uploading for my WordPress logo using the answer provided on this stack link, despite having read, in numerous places, that SVG support in a WordPress site opens it up to scripting attacks. Here is just one such source:
My question is three-fold:
1) As I understand it, the hack I used (based on the above link) allows me to upload SVGs for the logo. Does that also mean that end-users (non-admins) can upload malicious SVGs that can do real damage to my site if I allow them to upload files?
2) If it does allow users to upload malicious SVG files, is there any other code I can use to defend my site from attacks?
3) If there is a vulnerability introduced by the SVG fix I used, what sort of damage could a hacker do? What kind of commands would need to happen to trigger the malicious scripts?
This article has a bunch of great answers to your questions. I highly recommend checking it out to learn more about the scale of this issue, but I can give a quick rundown.
SVG, since it’s XML based, makes it really hard to decipher what is and what isn’t malicious. At one end, it opens you up to XSS attacks, and at the other, it could actually serve up a DoS attack.
He makes a reference to this WordPress Trac Ticket discussing SVG security for a long time, with seemingly no end in site.
Anyway, to answer your questions:
My gut reaction is no, but truly it depends on what your end users are able to do. If they don’t have access to upload anything, then you’re fine. If they do, then it depends on what you’re using to parse your front-end file upload system. Mostly it’s about actual WP users that have the ability to upload things and how fully you trust them not to upload something malicious.
There’s a plugin called Safe SVG based on a library called SVG Sanitizer. Check the readme on both to get a better understanding as to what it can/can’t prevent.
The damage could be anything from skimming information to taking down your hosting server. I refer you back to the original article I linked to. The depth of what could happen when you open an SVG is pretty open ended.
SVGs are the future and I use them on every site I build, but I usually don’t allow them to be uploaded if only because they usually can be hard-coded in the theme.
I have allowed SVG uploads on sites that need to be more fluid, but I think I can appreciate the idea that it’s not enabled by default since I can count on one hand the number of times it’s actually been necessary.
As it is explained in the other answer, allowing users to upload SVG files can be a security risk in general, it is not a specific problem in WordPress. But note that you are using a customizer setting, so you don’t allow SVG upload to every user, only to users that can access to theme customizer.
By default, only users with
edit_theme_options capability can access to theme customizer, and by default only admins have that capability. So, in this context, the risks are really minimal; admins are supposed to know what they are doing.
And you can control exactly which users can access to the customizer sections and settings using the
capability argument of
$wp_customize->add_section( 'mytheme_options', array( 'capability' => 'edit_theme_options', // Change this if you wish ) ); $wp_customize->add_setting( 'some_setting', array( 'capability' => 'edit_theme_options', // Change this if you wish ) );