Vulnerability in WordPress Google Fonts Plugin

ADVISORY!

TLP : CLEAR

Date : 03/01/2024

REF NO : CERT /2024/01/01

Severity Level: High

Components Affected

OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. (version 5.7.9)

Overview

An unauthenticated Stored Cross-Site Scripting (XSS) and directory deletion vulnerability has been discovered in the “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.” plugin for WordPress, may allow unauthenticated attackers to update the plugin’s settings and inject malicious scripts into affected sites

Description

This vulnerability, identified as CVE-2023-6600 (CVSS score of 8.6). It could affect sites that have the OMGF plugin installed and configured, which is estimated to be over 300,000 site. The OMGF plugin vulnerability occurs due to a missing capability check on the update_settings() function hooked via admin_init.

Impact

This allows unauthenticated attackers to modify the plugin’s settings, leading to Stored Cross-Site Scripting and directory deletion.

Solution/ Workarounds

To mitigate this vulnerability, users should update the vulnerable plugin to at least version 5.7.10 as it contains the necessary fixes.
Users are also advised to monitor their WordPress sites for any signs of unauthorized changes, such as injected scripts or deleted directories.

Reference

Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.

Sri Lanka Computer Emergency Readiness Team | Coordination Centre

Quick Links

Useful Links

Contact

Hotline : 101
+94 11 269 1692
Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
General inquiry: cert@cert.gov.lk
Security incidents: incidents@cert.gov.lk
Social media incidents: report@cert.gov.lk

ADVISORY!