Flex Local Fonts <= 1.0.0 – Admin+ Stored Cross-Site-Scripting | CVE 2021-24782 | Plugin Vulnerabilities

Description

The plugin does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Add a new font (Tools --> Local Fonts --> Add Font, need to have at least one font for the 'Add Font' to show up), put the following payload in the Class Name field (will trigger a self-XSS): <script>alert(/XSS/)</script> and save the change. The XSS will be triggered on the plugin's settings page (/wp-admin/tools.php?page=fsflex-local-fonts)

Affects Plugins

fsflex-local-fonts

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vishal Mohan

Submitter

Vishal Mohan

Verified

Yes

WPVDB ID

5cd846df-1d8b-488d-a691-b76850e8687a

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2020-12-19

Title

Envira Gallery Lite < 1.8.3.3 - Authenticated Stored Cross-Site Scripting

Published

2023-07-26

Title

AGP Font Awesome Collection <= 3.2.4 - Reflected XSS

Published

2015-08-25

Title

PlugNedit Adaptive Editor < 6.2.0 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-02-20

Title

Beaver Builder < 2.7.4.3 - Reflected XSS

Published

2024-05-14

Title

WP eMember < 10.3.9 - Reflected XSS