A vulnerability rated as High was recently patched in a Google Fonts optimization plugin for WordPress, allowing attackers to delete entire directories and upload malicious scripts.
OMGF | GDPR/DSGVO Compliant WordPress Plugin
The plugin, OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy., optimizes the use of Google Fonts to reduce page speed impact and is also GDPR compliant, making it valuable for users in the European Union looking to implement Google Fonts.
Screenshot of Wordfence Vulnerability Rating
Vulnerability
The vulnerability is particularly concerning because it allows unauthenticated attackers. “Unauthenticated” means that an attacker doesn’t need to be registered on the website or have any level of credentials.
The vulnerability is described as enabling unauthenticated directory deletion and allowing the upload of Cross-Site Scripting (XSS) payloads.
Cross-Site Scripting (XSS) is a type of attack where a malicious script is uploaded to a website server, which can then be used to remotely attack the browsers of any visitors. This can result in accessing a user’s cookies or session information, enabling the attacker to assume the privilege level of that user visiting the site.
The cause of the vulnerability, as identified by Wordfence researchers, is a lack of a capability check – a security feature that checks whether a user has access to a specific feature of a plugin, in this case, an admin-level feature.
See also: WordPress Security: 16 Steps to Secure & Protect Your Site
An official WordPress developer page for plugin makers says this about capability checking:
“User capabilities are the specific permissions that you assign to each user or to a User role.
For example, Administrators have the “manage_options” capability which allows them to view, edit and save options for the website. Editors on the other hand lack this capability which will prevent them from interacting with options.
These capabilities are then checked at various points within the Admin. Depending on the capabilities assigned to a role; menus, functionality, and other aspects of the WordPress experience may be added or removed.
As you build a plugin, make sure to run your code only when the current user has the necessary capabilities.”
Wordfence describes the cause of the vulnerability:
“…is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9.”
Wordfence also states that previous updates attempted to close the security gap but considers version 5.7.10 to be the most secure version of the plugin.
Read the Wordfence vulnerability warning:
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
Featured Image by Shutterstock/Nikulina Tatiana
We all want to be satisfied, even though we know some people who will never be that way, and others who see satisfaction as a foreign emotion that they can’t hope to ever feel.
Newspaper Ads Canyon Crest CA
Click To See Full Page Ads
Click To See Half Page Ads
Click To See Quarter Page Ads
Click To See Business Card Size Ads
If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com
Like us on Facebook Here
What should Google rank in Search when all the content sucks?
Many people have an incredibly low bar for what they consider to be “great” content that...
Google Search Wants To Reward The Best Content No Matter The Size Of The Site
For the past 20 years, probably even longer, the debate about Google giving preferential...
0 Comments