CVE-2021-24637 Information

Description

The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content) align color variant and fontID argument of a Gutenberg block.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/dd2b3f22-5e8b-41cf-bcb8-d2e673e1d21e

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4