Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Z.com byGMO GMO Font Agent gmo-font-agent allows Stored XSS.This issue affects GMO Font Agent: from n/a through <= 1.6.
Published: 2025-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GMO Font Agent plugin suffers from an improper neutralization of user input during web page generation, leading to a stored cross‑site scripting vulnerability. An attacker could inject malicious script that persists on the website and is executed in the browsers of visitors. Based on typical XSS impacts, this could allow arbitrary client‑side code execution, potentially enabling credential theft, session hijack, or site defacement.

Affected Systems

All installations of the GMO Font Agent plugin version 1.6 or earlier, distributed by Z.com byGMO, are affected. The vulnerability is present regardless of the WordPress site configuration.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% shows a very low likelihood of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. The attack vector is likely through any input or administrative interface of the plugin where malicious payloads can be stored; this inference is drawn because the description specifies a stored XSS but does not reveal the exact entry point.

Generated by OpenCVE AI on May 1, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GMO Font Agent plugin to a version newer than 1.6 if one exists.
  • If no newer version is available, disable or uninstall the plugin to remove the vulnerability.
  • Apply a web‑application firewall rule or enforce a strict content‑security policy to block execution of injected scripts until the plugin is patched.

Generated by OpenCVE AI on May 1, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7959 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Z.com byGMO GMO Font Agent allows Stored XSS. This issue affects GMO Font Agent: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Z.com byGMO GMO Font Agent allows Stored XSS. This issue affects GMO Font Agent: from n/a through 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Z.com byGMO GMO Font Agent gmo-font-agent allows Stored XSS.This issue affects GMO Font Agent: from n/a through <= 1.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Z.com byGMO GMO Font Agent allows Stored XSS. This issue affects GMO Font Agent: from n/a through 1.6.
Title WordPress GMO Font Agent plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.934Z

Reserved: 2025-03-24T12:59:58.192Z

Link: CVE-2025-30553

cve-icon Vulnrichment

Updated: 2025-03-24T14:50:04.710Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:24.547

Modified: 2026-04-23T15:26:51.273

Link: CVE-2025-30553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:45:06Z

Weaknesses