5.4
CVE-2021-24637
- EPSS 0.2%
- Veröffentlicht 20.09.2021 10:15:09
- Zuletzt bearbeitet 21.11.2024 05:53:27
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginGoogle Fonts Typography <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via blockType arguments
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
Mögliche Gegenmaßnahme
Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts: Update to version 3.0.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts
Version
[*, 3.0.3)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fontsplugin ≫ Fonts SwPlatformwordpress Version < 3.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.388 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.