Fontific | Google Fonts <= 0.1.6 – Cross-Site Request Forgery via ajax_fontific_save_all | CVE 2024-27194 | Plugin Vulnerabilities

Description

The Fontific | Google Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.6. This is due to missing or incorrect nonce validation on the 'ajax_fontific_save_all' function. This makes it possible for unauthenticated attackers to modify the plugin's settings, which includes injecting malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/177a2bda-6c40-4ff6-a53f-e6b2a8408d8a

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dimas Maulana

Verified

No

WPVDB ID

d99002f6-2578-4653-aa35-4c7b9052e816

Timeline

Publicly Published

2024-02-26 (about 2 years ago)

Added

2024-02-28 (about 2 years ago)

Last Updated

2024-02-28 (about 2 years ago)

Other

Published

Title

Published

2024-06-27

Title

DL Robots.txt <= 1.2 - Admin+ Stored XSS

Published

2022-12-27

Title

Page-list < 5.3 - Contributor+ Stored XSS

Published

2021-12-27

Title

myCred < 2.4 - Reflected Cross-Site Scripting

Published

2023-01-03

Title

Justified Gallery < 1.7.1 - Contributor+ Stored XSS via Shortcode

Published

2024-04-05

Title

Salon booking system < 9.6.6 - Editor+ Stored XSS via Email Settings