CVE-2026-3535

The CVE concerns the DSGVO Google Web Fonts GDPR WordPress plugin. All versions up to 1.1 are vulnerable due to missing file type validation in the DSGVOGWPdownloadGoogleFonts() function. The function, exposed via a wp_ajax_nopriv_ hook (no authentication), fetches a user-supplied URL as a CSS fi...

CVE-2025-14351 Custom Fonts – Host Your Fonts Locally <= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCFGoogleFontsCompatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated...

EUVD-2015-7585

Malware in sbrugna...

WordPress Aria Font plugin <= 1.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nabil Irawan in WordPress Plugin Aria Font versions = 1.4...

CVE-2023-6600 OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 - Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting

The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the updatesettings function hooked via admininit in all versions up to, and including, 5.7.9. Th...

Rocket Font <= 1.2.3 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2023-46067

Cross-Site Request Forgery CSRF vulnerability in Qwerty23 Rocket Font plugin = 1.2.3 versions...

CVE-2023-46067 WordPress Rocket Font Plugin <= 1.2.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Qwerty23 Rocket Font plugin = 1.2.3 versions...

WordPress Plugin Rocket Font Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

CVE-2021-24977

The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the...

Cross site scripting

The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the...

CVE-2021-24782

CVE-2021-24782 affects the WordPress Flex Local Fonts plugin (versions ≤ 1.0.0). The vulnerability stems from not escaping the Class Name field when a font is added, allowing stored Cross-Site Scripting for users with Admin+ privileges, even with unfiltered_html disallowed. PoCs describe a payloa...

Fedora 30 : ckeditor (2020-261449d821)

CKEditor 4.14 Security Updates: - CVE-2020-9281 Fixed XSS vulnerability in the HTML data processor reported by Micha Bentkowski of Securitum. Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: i switch CKEditor to source mode, then ii paste a specially...

WordPress Arabic Font Plugin Cross-Site Scripting Vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress Arabic Font plugin. An attacker can exploit this vulnerability t...

Wordpress parsi-font plugin cross-site scripting vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports PHP and MySQL servers to set up a personal blog site. parsi-font is one of the font plug-ins. A cross-site scripting vulnerability exists in the Wordpress parsi-font...

Path traversal

Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php...

WordPress Font 7.5 Path Traversal Vulnerability

WordPress Font plugin version 7.5 suffers from a path traversal vulnerability. Details ================ Software: Font Version: 7.5 Homepage: https://wordpress.org/plugins/font/ CVE: CVE-2015-7683 Pending CVSS: 6.3 Medium; AV:N/AC:M/Au:S/C:C/I:N/A:N CWE: CWE-22 Description ================ An...

WordPress Font plugin path traversal vulnerability

WordPress is a blogging platform developed using the PHP language and Font is one of the plugins. A path traversal vulnerability exists in the Font plugin in WordPress. An attacker can exploit this vulnerability to gain privileges...

WordPress Font Plugin <= 7.5.0 - Absolute Path Traversal

This vulnerability allows the administrators to read arbitrary files via a full pathname in the "URL" parameter to AjaxProxy.php. Solution Update the plugin...