CVE-2021-24637 Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting

2021-09-2010:06:42

CWE-79

WPScan

www.cve.org

cve-2021-24637

wordpress plugin

stored cross-site scripting

gutenberg block

contributor role

EPSS

0.001

Percentile

24.8%

JSON

The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

CNA Affected

[
  {
    "product": "Fonts Plugin | Google Fonts Typography",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "3.0.3",
        "status": "affected",
        "version": "3.0.3",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/dd2b3f22-5e8b-41cf-bcb8-d2e673e1d21e

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2021-24637