WordPress Google Fonts Plugin Vulnerability Affects Up To +300,000 Sites via @sejournal, @martinibuster

A vulnerability rated arsenic High was precocious patched successful a Google Fonts optimization plugin for WordPress, allowing attackers to delete full directories and upload malicious scripts.

OMGF | GDPR/DSGVO Compliant WordPress Plugin

The plugin, OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy., optimizes the usage of Google Fonts to trim leafage velocity interaction and is besides GDPR compliant, making it invaluable for users successful the European Union looking to instrumentality Google Fonts.

Screenshot of Wordfence Vulnerability Rating

Vulnerability

The vulnerability is peculiarly concerning due to the fact that it allows unauthenticated attackers. “Unauthenticated” means that an attacker doesn’t request to beryllium registered connected the website oregon person immoderate level of credentials.

The vulnerability is described arsenic enabling unauthenticated directory deletion and allowing the upload of Cross-Site Scripting (XSS) payloads.

Cross-Site Scripting (XSS) is simply a benignant of onslaught wherever a malicious publication is uploaded to a website server, which tin past beryllium utilized to remotely onslaught the browsers of immoderate visitors. This tin effect successful accessing a user’s cookies oregon league information, enabling the attacker to presume the privilege level of that idiosyncratic visiting the site.

The origin of the vulnerability, arsenic identified by Wordfence researchers, is simply a deficiency of a capableness cheque – a information diagnostic that checks whether a idiosyncratic has entree to a circumstantial diagnostic of a plugin, successful this case, an admin-level feature.

See also: WordPress Security: 16 Steps to Secure & Protect Your Site

An authoritative WordPress developer leafage for plugin makers says this astir capableness checking:

“User capabilities are the circumstantial permissions that you delegate to each idiosyncratic oregon to a User role.

For example, Administrators person the “manage_options” capableness which allows them to view, edit and prevention options for the website. Editors connected the different manus deficiency this capableness which volition forestall them from interacting with options.

These capabilities are past checked astatine assorted points wrong the Admin. Depending connected the capabilities assigned to a role; menus, functionality, and different aspects of the WordPress acquisition whitethorn beryllium added oregon removed.

As you physique a plugin, marque definite to tally your codification lone erstwhile the existent idiosyncratic has the indispensable capabilities.”

Wordfence describes the origin of the vulnerability:

“…is susceptible to unauthorized modification of information and Stored Cross-Site Scripting owed to a missing capableness cheque connected the update_settings() relation hooked via admin_init successful each versions up to, and including, 5.7.9.”

Wordfence besides states that erstwhile updates attempted to adjacent the information spread but considers mentation 5.7.10 to beryllium the astir unafraid mentation of the plugin.

Read the Wordfence vulnerability warning:

OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting

Featured Image by Shutterstock/Nikulina Tatiana

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

Roger Montti is simply a hunt marketer with implicit 20 years experience. I connection tract audits and telephone consultations.  See maine ...

Subscribe To Our Newsletter.

Conquer your time with regular hunt selling news.