A vulnerability rated as Excessive was lately patched in a Google Fonts optimization plugin for WordPress, permitting attackers to delete total directories and add malicious scripts.

OMGF | GDPR/DSGVO Compliant WordPress Plugin

The plugin, OMGF | GDPR/DSGVO Compliant, Sooner Google Fonts. Easy., optimizes the usage of Google Fonts to scale back web page velocity impression and can also be GDPR compliant, making it worthwhile for customers within the European Union trying to implement Google Fonts.

Screenshot of Wordfence Vulnerability Score

Vulnerability

The vulnerability is especially regarding as a result of it permits unauthenticated attackers. “Unauthenticated” signifies that an attacker doesn’t should be registered on the website or have any level of credentials.

The vulnerability is described as enabling unauthenticated listing deletion and permitting the add of Cross-Website Scripting (XSS) payloads.

Cross-Website Scripting (XSS) is a kind of assault the place a malicious script is uploaded to a website server, which might then be used to remotely assault the browsers of any guests. This can lead to accessing a person’s cookies or session info, enabling the attacker to imagine the privilege level of that person visiting the location.

The reason for the vulnerability, as recognized by Wordfence researchers, is a scarcity of a functionality verify – a safety characteristic that checks whether or not a person has entry to a selected characteristic of a plugin, on this case, an admin-level characteristic.

An official WordPress developer web page for plugin makers says this about functionality checking:

“Consumer capabilities are the particular permissions that you simply assign to every person or to a Consumer position.

For instance, Directors have the “manage_options” functionality which permits them to view, edit and save choices for the website. Editors alternatively lack this functionality which is able to forestall them from interacting with choices.

These capabilities are then checked at varied factors inside the Admin. Relying on the capabilities assigned to a job; menus, performance, and different points of the WordPress expertise could also be added or eliminated.

As you construct a plugin, ensure to run your code solely when the present person has the mandatory capabilities.”

Wordfence describes the reason for the vulnerability:

“…is weak to unauthorized modification of information and Saved Cross-Website Scripting as a result of a lacking functionality verify on the update_settings() operate hooked through admin_init in all variations as much as, and together with, 5.7.9.”

Wordfence additionally states that earlier updates tried to shut the safety hole however considers model 5.7.10 to be probably the most safe model of the plugin.

Learn the Wordfence vulnerability warning:

OMGF | GDPR/DSGVO Compliant, Sooner Google Fonts. Easy. <= 5.7.9 – Lacking Authorization to Unauthenticated Listing Deletion and Cross-Website Scripting

Featured Picture by Shutterstock/Nikulina Tatiana