Vulnerability Details CVE-2021-24637
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.1%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
Products affected by CVE-2021-24637
-
cpe:2.3:a:fontsplugin:fonts:-
-
cpe:2.3:a:fontsplugin:fonts:3.0.0
-
cpe:2.3:a:fontsplugin:fonts:3.0.1
-
cpe:2.3:a:fontsplugin:fonts:3.0.2