The plugin does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues
The XSS from the googlefont_ajax_name will be triggered when the mouse will be over any of the checkbox. The one from googlefont_ajax_family will be triggered only in section 1 and 4
CPE | Name | Operator | Version |
---|---|---|---|
wp-google-fonts | lt | 3.1.5 |