A recently patched vulnerability in a widely-used Google Fonts optimization plugin for WordPress, rated as High, posed significant risks by allowing attackers to delete entire directories and upload malicious scripts.
OMGF | GDPR/DSGVO Compliant WordPress Plugin
The OMGF | GDPR/DSGVO Compliant plugin, designed to optimize Google Fonts usage for reduced page speed impact and ensure GDPR compliance, is particularly valuable for users in the European Union.
Vulnerability
The vulnerability is alarming due to its potential for exploitation by unauthenticated attackers, meaning no registration or credentials are required. It allows for unauthorized directory deletions and the upload of Cross-Site Scripting (XSS) payloads.
XSS attacks involve the uploading of malicious scripts to a website server, enabling remote attacks on browsers of website visitors. These attacks can compromise user cookies or session information, potentially allowing attackers to assume the user’s privilege level on the site.
Cause and Details
According to researchers, the root cause of the vulnerability is a lack of a capability check, a security measure that verifies if a user has the necessary permissions to access certain plugin features, typically admin-level functions.
WordPress Security Advisory:
"User capabilities are specific permissions assigned to each user or user role. For example, Administrators have the ‘manage_options’ capability, allowing them to manage website options, whereas Editors do not. These capabilities influence various interactions within the WordPress Admin area. Ensure that your plugin code runs only when the current user has the necessary capabilities."
Wordfence further explains:
"…this vulnerability allows unauthorized data modification and Stored Cross-Site Scripting due to a missing capability check in the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9."
Wordfence has indicated that previous updates attempted to address this security issue, and version 5.7.10 is considered the most secure release of the plugin.
Official Warning:
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
Featured Image by Shutterstock/Nikulina Tatiana