WordPress Zeno Font Resizer Plugin <= 1.7.9 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The Zeno Font Resizer plugin for WordPress versions up to and including 1.7.9 contains a stored cross-site scripting (XSS) vulnerability in the admin settings page. An authenticated user with administrator-level privileges can inject arbitrary JavaScript into plugin settings (e.g., font size options or content selectors) that is not properly sanitized before being stored and later rendered in the admin interface or frontend. The vulnerability exists in the plugin's admin functionality where user input is insufficiently escaped [1].

Exploitation

To exploit this vulnerability, an attacker must have an administrator account on the WordPress site. The attacker navigates to the Zeno Font Resizer settings page (typically under Settings > Zeno Font Resizer) and injects malicious JavaScript into one of the input fields (e.g., "Resize steps" or "Content to resize"). The input is stored without proper sanitization. When another administrator or a user with access to the settings page views the page, the injected script executes in their browser. The attacker does not need any special network position beyond being logged in as admin.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, theft of sensitive information (e.g., cookies, admin credentials), or further actions such as creating new admin accounts or installing malicious plugins. The impact is limited to users who view the affected admin page, but since administrators have high privileges, the compromise can be severe.

Mitigation

The vulnerability is fixed in version 1.8.0 of the Zeno Font Resizer plugin, released on 2023-02-15, which includes proper output escaping and sanitization [1]. Users should update to version 1.8.0 or later immediately. As of the reference, the latest version is 2.0.0 (2026-04-05), which includes further improvements. No workaround is available for versions prior to 1.8.0; updating is the only mitigation. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.