Lucene search

K

Font Security Vulnerabilities

cve
cve

CVE-2024-35705

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ciprian Popescu Block for Font Awesome allows Stored XSS.This issue affects Block for Font Awesome: from n/a through...

6.5CVSS

6.5AI Score

0.0004EPSS

2024-06-08 03:15 PM
20
cve
cve

CVE-2024-5489

The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level.....

4.3CVSS

6.7AI Score

0.001EPSS

2024-06-06 12:15 PM
25
cve
cve

CVE-2024-2657

The Font Farsi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS

5.7AI Score

0.0004EPSS

2024-05-30 09:15 AM
24
cve
cve

CVE-2024-3198

The WP Font Awesome Share Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpfai_social' shortcode in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

6.4CVSS

5.7AI Score

0.0004EPSS

2024-05-22 07:15 AM
28
cve
cve

CVE-2024-1752

The Font Farsi WordPress plugin through 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.6AI Score

0.0004EPSS

2024-04-08 05:15 AM
28
cve
cve

CVE-2024-24714

Unrestricted Upload of File with Dangerous Type vulnerability in bPlugins LLC Icons Font Loader.This issue affects Icons Font Loader: from n/a through...

7.2CVSS

7.5AI Score

0.0004EPSS

2024-02-26 04:27 PM
88
cve
cve

CVE-2022-3829

The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

4.8CVSS

4.7AI Score

0.0004EPSS

2024-01-16 04:15 PM
355
cve
cve

CVE-2023-49751

Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu Block for Font Awesome.This issue affects Block for Font Awesome: from n/a through...

8.8CVSS

8.7AI Score

0.001EPSS

2023-12-17 10:15 AM
42
cve
cve

CVE-2023-46084

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bPlugins LLC Icons Font Loader allows SQL Injection.This issue affects Icons Font Loader: from n/a through...

8.8CVSS

9AI Score

0.001EPSS

2023-11-06 10:15 AM
23
cve
cve

CVE-2023-5860

The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload...

7.2CVSS

7.4AI Score

0.001EPSS

2023-11-02 12:15 PM
22
cve
cve

CVE-2023-5127

The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on 'icon' user supplied attribute. This makes it possible for authenticated attackers with...

6.4CVSS

5.2AI Score

0.001EPSS

2023-10-25 06:17 PM
17
cve
cve

CVE-2023-46067

Cross-Site Request Forgery (CSRF) vulnerability in Qwerty23 Rocket Font plugin <= 1.2.3...

8.8CVSS

8.8AI Score

0.001EPSS

2023-10-21 09:15 PM
27
cve
cve

CVE-2023-45749

Cross-Site Request Forgery (CSRF) vulnerability in Alexey Golubnichenko AGP Font Awesome Collection plugin <= 3.2.4...

8.8CVSS

8.8AI Score

0.001EPSS

2023-10-16 11:15 AM
20
cve
cve

CVE-2023-5232

The Font Awesome More Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'icon' shortcode in versions up to, and including, 3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

6.4CVSS

5.3AI Score

0.0004EPSS

2023-09-28 05:15 AM
30
cve
cve

CVE-2023-5233

The Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'fawesome' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS

5.3AI Score

0.0004EPSS

2023-09-28 05:15 AM
37
cve
cve

CVE-2023-4718

The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated....

6.4CVSS

5.2AI Score

0.001EPSS

2023-09-02 04:15 AM
26
cve
cve

CVE-2023-30481

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Alexey Golubnichenko AGP Font Awesome Collection plugin <= 3.2.4...

7.1CVSS

6AI Score

0.0005EPSS

2023-08-10 12:15 PM
13
cve
cve

CVE-2023-25442

Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability in Marcel Pol Zeno Font Resizer plugin <= 1.7.9...

5.9CVSS

4.8AI Score

0.001EPSS

2023-04-07 02:15 PM
20
cve
cve

CVE-2023-0419

The Shortcode for Font Awesome WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting.....

5.4CVSS

5.3AI Score

0.001EPSS

2023-02-21 09:15 AM
26
cve
cve

CVE-2023-0271

The WP Font Awesome WordPress plugin before 1.7.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.4CVSS

5.3AI Score

0.001EPSS

2023-02-21 09:15 AM
26
cve
cve

CVE-2022-4512

The Better Font Awesome WordPress plugin before 2.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.4CVSS

5.3AI Score

0.001EPSS

2023-02-13 03:15 PM
31
cve
cve

CVE-2022-4478

The Font Awesome WordPress plugin before 4.3.2 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in...

5.4CVSS

5.4AI Score

0.001EPSS

2023-01-16 04:15 PM
38
cve
cve

CVE-2012-3814

Unrestricted file upload vulnerability in font-upload.php in the Font Uploader plugin 1.2.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a .php.ttf extension, then accessing it via a direct request to the file in...

7.9AI Score

0.027EPSS

2022-10-03 04:15 PM
20
cve
cve

CVE-2022-37405

Cross-Site Request Forgery (CSRF) vulnerability in Mickey Kay's Better Font Awesome plugin <= 2.0.1 at...

8.8CVSS

8.8AI Score

0.001EPSS

2022-09-09 03:15 PM
39
3
cve
cve

CVE-2022-21165

All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec()...

9.8CVSS

9.7AI Score

0.006EPSS

2022-08-29 05:15 AM
38
4
cve
cve

CVE-2022-27851

Cross-Site Request Forgery (CSRF) in Use Any Font (WordPress plugin) <= 6.1.7 allows an attacker to deactivate the API...

5.4CVSS

4.7AI Score

0.001EPSS

2022-04-15 05:15 PM
48
cve
cve

CVE-2021-24977

The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the...

6.1CVSS

6.1AI Score

0.001EPSS

2022-02-28 09:15 AM
68
cve
cve

CVE-2021-21391

CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular...

6.5CVSS

6.2AI Score

0.005EPSS

2021-04-29 01:15 AM
51
cve
cve

CVE-2019-19308

In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0, there is a NULL pointer dereference while parsing a TTF font file that lacks a name section (due to a g_strconcat call that returns...

5.5CVSS

5.3AI Score

0.001EPSS

2019-11-27 03:15 PM
31
cve
cve

CVE-2019-9908

The font-organizer plugin 2.1.1 for WordPress has wp-admin/options-general.php manage_font_id...

6.1CVSS

6.3AI Score

0.001EPSS

2019-03-22 12:29 AM
19
cve
cve

CVE-2018-0855

The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft Windows 7 SP1 and Windows Server 2008 R2 allows information disclosure, due to how the Windows EOT font engine handles embedded fonts, aka "Windows EOT Font Engine Information Disclosure Vulnerability". This CVE ID is unique...

4.3CVSS

4.5AI Score

0.004EPSS

2018-02-15 02:29 AM
41
cve
cve

CVE-2018-0755

The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft Windows 7 SP1 and Windows Server 2008 R2 allows information disclosure, due to how the Windows EOT font engine handles embedded fonts, aka "Windows EOT Font Engine Information Disclosure Vulnerability". This CVE ID is unique...

5.5CVSS

4.5AI Score

0.004EPSS

2018-02-15 02:29 AM
30
cve
cve

CVE-2018-0761

The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft Windows 7 SP1 and Windows Server 2008 R2 allows information disclosure, due to how the Windows EOT font engine handles embedded fonts, aka "Windows EOT Font Engine Information Disclosure Vulnerability". This CVE ID is unique...

5.5CVSS

4.5AI Score

0.004EPSS

2018-02-15 02:29 AM
33
cve
cve

CVE-2018-0760

The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft Windows 7 SP1, Windows Server 2008 R2, and Windows Server 2012 allows information disclosure, due to how the Windows EOT font engine handles embedded fonts, aka "Windows EOT Font Engine Information Disclosure Vulnerability"....

5.5CVSS

4.5AI Score

0.004EPSS

2018-02-15 02:29 AM
44
cve
cve

CVE-2018-0788

The Windows Adobe Type Manager Font Driver (Atmfd.dll) in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 and R2 allows an elevation of privilege vulnerability due to the way objects are handled in memory, aka "OpenType Font Driver Elevation of...

7CVSS

6AI Score

0.001EPSS

2018-01-04 02:29 PM
65
cve
cve

CVE-2018-0754

The Windows Adobe Type Manager Font Driver (Atmfd.dll) in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure...

5.5CVSS

5.2AI Score

0.001EPSS

2018-01-04 02:29 PM
106
cve
cve

CVE-2016-1000142

Reflected XSS in wordpress plugin parsi-font...

6.1CVSS

5.9AI Score

0.001EPSS

2016-10-10 08:59 PM
20
cve
cve

CVE-2016-1000126

Reflected XSS in wordpress plugin admin-font-editor...

6.1CVSS

5.9AI Score

0.001EPSS

2016-10-10 08:59 PM
31
cve
cve

CVE-2015-7683

Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to...

6.8AI Score

0.002EPSS

2015-10-16 08:59 PM
26
cve
cve

CVE-2014-2570

Cross-site scripting (XSS) vulnerability in www/make_subset.php in PHP Font Lib before 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the name...

5.8AI Score

0.003EPSS

2015-08-31 06:59 PM
23
cve
cve

CVE-2007-4568

Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer...

9.7AI Score

0.905EPSS

2007-10-05 09:17 PM
41
cve
cve

CVE-2007-4990

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers....

9.6AI Score

0.033EPSS

2007-10-05 09:17 PM
38