The article discusses a recently patched vulnerability in a Google Fonts optimization plugin for WordPress, which was rated as High. The plugin, called OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy., aims to optimize the use of Google Fonts to reduce page speed impact and ensure GDPR compliance for users in the European Union.
The vulnerability allows unauthenticated attackers to delete entire directories and upload malicious scripts, posing a significant risk to the security of websites using the plugin. Specifically, the vulnerability enables unauthenticated directory deletion and the upload of Cross-Site Scripting (XSS) payloads. XSS is a type of attack where a malicious script is uploaded to a website server, allowing attackers to remotely attack the browsers of site visitors.
The cause of the vulnerability, as identified by Wordfence researchers, is a lack of a capability check, which is a security feature that verifies whether a user has access to specific features within a plugin. The official WordPress developer page for plugin makers emphasizes the importance of capability checking to assign specific permissions to users or user roles, preventing unauthorized access to sensitive website functionalities.
Wordfence also indicates that previous updates attempted to address the security gap, but version 5.7.10 is deemed the most secure version of the plugin. The vulnerability warning provided by Wordfence advises that versions up to and including 5.7.9 are vulnerable to unauthorized modification of data and stored Cross-Site Scripting.
In conclusion, the vulnerability in the Google Fonts optimization plugin poses a serious threat to the security of up to 300,000 websites using the plugin. Users are advised to update to the latest, most secure version of the plugin (version 5.7.10) to mitigate the potential risks associated with the vulnerability. Additionally, plugin developers are urged to prioritize capability checks to prevent unauthorized access and modification of sensitive website features.
Read Full Article