5.4
CVE-2021-24637
- EPSS 0.6%
- Veröffentlicht 20.09.2021 10:15:09
- Zuletzt bearbeitet 21.11.2024 05:53:27
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginFonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting
Google Fonts Typography <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via blockType arguments
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
Mögliche Gegenmaßnahme
Fonts Plugin | Google Fonts, Adobe Fonts & Upload Fonts: Update to version 3.0.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fontsplugin ≫ Fonts SwPlatformwordpress Version < 3.0.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Fonts Plugin | Google Fonts, Adobe Fonts & Upload Fonts
Version
[*, 3.0.3)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.6% | 0.442 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/dd2b3f22-5e8b-41cf-bcb8-d2e673e1d21e
https://www.wordfence.com/threat-intel/vulnerabilities/id/9d3b4315-05cd-4349-8dd9-ea6792048a9d