The Fonto – Custom Web Fonts Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Metrics
Affected Vendors & Products
References
History
Thu, 17 Oct 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Vladolaru
Vladolaru fonto Custom Web Fonts Manager |
|
CPEs | cpe:2.3:a:vladolaru:fonto_custom_web_fonts_manager:*:*:*:*:*:*:*:* | |
Vendors & Products |
Vladolaru
Vladolaru fonto Custom Web Fonts Manager |
|
Metrics |
ssvc
|
Thu, 17 Oct 2024 09:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Fonto – Custom Web Fonts Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |
Title | Fonto – Custom Web Fonts Manager <= 1.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | |
Weaknesses | CWE-79 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-10-17T09:32:17.085Z
Updated: 2024-10-17T18:20:00.300Z
Reserved: 2024-09-16T22:37:47.915Z
Link: CVE-2024-8920
Vulnrichment
Updated: 2024-10-17T18:19:55.752Z
NVD
Status : Awaiting Analysis
Published: 2024-10-17T10:15:04.580
Modified: 2024-10-18T12:52:33.507
Link: CVE-2024-8920
Redhat
No data.