OMGF Cert EU reports the discovery of a new vulnerability in a popular WordPress plugin called “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.” This plugin is used by over 300,000 users and aims to ensure that Google fonts used on websites comply with GDPR regulations.
The discovered vulnerability is a stored XSS (Cross-Site Scripting) attack, which can be exploited by unauthorized attackers. This vulnerability has been identified as CVE-2023-6600 and has received a CVSS score of 8.6. This means that attackers without login credentials can modify plugin settings and inject malicious scripts into affected pages.
The vulnerability in the OMGF plugin is due to a lack of permission checks in the update_settings() function, which is called by unauthorized attackers. This allows attackers to modify plugin settings, leading to stored XSS attacks and directory removal.
To secure their websites, users are advised to update the OMGF plugin to version 5.7.10. This way, users can ensure that their sites are not exposed to this risk.
FAQ:
What is stored XSS?
Stored XSS (Cross-Site Scripting) is a vulnerability that allows an attacker to inject a malicious script into a website or web application. This script can be executed by other browsers visiting the site, giving the attacker control over the content and functionality of the website.
What are the consequences of stored XSS?
Stored XSS can lead to many unpleasant consequences. Attackers can modify the content of a page, redirect users to fraudulent sites, and even take control of administrator accounts.
Source:
Author: Cert EU
Available at: www.cert.europa.eu
The source of the article is from the blog radiohotmusic.it