--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Vulnerability in Wordpress Google Fonts Plugin' number: '2024-001' version: '1.0' original_date: 'January 2, 2024' date: 'January 3, 2024' --- _History:_ * _03/01/2024 --- v1.0 -- Initial publication_ # Summary On January 2, 2024, an unauthenticated Stored Cross-Site Scripting (XSS) and directory deletion vulnerability has been discovered in the "_OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy._" plugin for WordPress. This vulnerability, identified as `CVE-2023-6600` (CVSS score of 8.6)[1], may allow unauthenticated attackers to update the plugin's settings and inject malicious scripts into affected sites [2]. This vulnerability could affect sites that have the OMGF plugin installed and configured, which is estimated to be over 300,000 sites [3]. # Technical Details The OMGF plugin vulnerability occurs due to a missing capability check on the `update_settings()` function hooked via `admin_init`. This allows unauthenticated attackers to modify the plugin's settings, leading to Stored Cross-Site Scripting and directory deletion. # Affected Products "_OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy._" plugin version 5.7.9 and below. # Recommendations To mitigate this vulnerability, users should update the vulnerable plugin to at least version 5.7.10 as it contains the necessary fixes. Users are also advised to monitor their WordPress sites for any signs of unauthorised changes, such as injected scripts or deleted directories. # References [1] [2] [3]