WordPress Plugin Vulnerabilities

WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting

Description

The plugin does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
wp-google-fonts
Fixed in 3.1.5

References

CVE
CVE-2021-24935
URL
https://plugins.trac.wordpress.org/changeset/2623659

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top/
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
53702281-1bd5-4828-b7a4-9f81cf0b6bb6

Timeline

Publicly Published
2021-11-03 (about 4 years ago)
Added
2021-11-03 (about 4 years ago)
Last Updated
2022-09-26 (about 3 years ago)

Other

Published
Title
Published
2025-04-09
Title
Link Shield <= 0.5.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2024-02-12
Title
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.9 - Contributor+ Stored Cross-Site Scripting
Published
2025-11-26
Title
Essential Widgets < 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-21
Title
Simple Custom Author Profiles <= 1.0.0 - Admin+ Stored Cross-Site Scripting
Published
2025-04-24
Title
External Markdown <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting