CVE-2021-24977
Last modified
CVE-2021-24977 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues. EPSS estimates a 1.47% chance of exploitation in the next 30 days.
Description
The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Dineshkarki | Use Any Font | < 6.2.1 |
References
- https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-24977?
How severe is CVE-2021-24977?
How do I fix CVE-2021-24977?
Are you affected by CVE-2021-24977?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST