Flex Local Fonts <= 1.0.0 – Admin+ Stored Cross-Site-Scripting | CVE 2021-24782 | Plugin Vulnerabilities

Description

The plugin does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Add a new font (Tools --> Local Fonts --> Add Font, need to have at least one font for the 'Add Font' to show up), put the following payload in the Class Name field (will trigger a self-XSS): <script>alert(/XSS/)</script> and save the change. The XSS will be triggered on the plugin's settings page (/wp-admin/tools.php?page=fsflex-local-fonts)

Affects Plugins

fsflex-local-fonts

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vishal Mohan

Submitter

Vishal Mohan

Verified

Yes

WPVDB ID

5cd846df-1d8b-488d-a691-b76850e8687a

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2025-03-27

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.15 - Reflected Cross-Site Scripting

Published

2025-02-14

Title

Eventer < 3.9.9 - Reflected Cross-Site Scripting

Published

2025-11-10

Title

WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-12-20

Title

SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting

Published

2024-10-16

Title

Persian WooCommerce SMS < 7.0.3 - Reflected Cross-Site Scripting