exploitDog

CVE-2021-24935

Опубликовано: 06 дек. 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues

Ссылки

https://plugins.trac.wordpress.org/changeset/2623659
Patch
Third Party Advisory
https://wpscan.com/vulnerability/53702281-1bd5-4828-b7a4-9f81cf0b6bb6
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2623659
Patch
Third Party Advisory
https://wpscan.com/vulnerability/53702281-1bd5-4828-b7a4-9f81cf0b6bb6
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wp_google_fonts_project:wp_google_fonts:*:*:*:*:*:*:*:*

Версия до 3.1.5 (исключая)

EPSS

Процентиль: 52%

0.00293

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-7j2q-gmf9-hmhh

github

около 4 лет назад

The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues

EPSS

Процентиль: 52%

0.00293

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79