CVE-2024-8920

Vulnerability

Analysis

The Fonto – Custom Web Fonts Manager plugin for WordPress (versions up to and including 1.2.1) is susceptible to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping during SVG file uploads [1]. The plugin fails to properly validate or sanitize SVG files, allowing malicious scripts to be embedded within the uploaded file.

Exploitation

An attacker must have at least Author-level access to the WordPress site. They can upload a crafted SVG file containing malicious JavaScript. When another user (including administrators) accesses the SVG file, the script executes in the context of the victim's browser. The attack does not require any additional user interaction beyond viewing the file.

Impact

Successful exploitation enables arbitrary web script execution in the context of the affected site. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as login credentials. The vulnerability is rated Medium with a CVSS v3 score of 6.4.

Mitigation

The vendor has not released a patched version addressing this specific vulnerability as of the publication date. Users are advised to restrict SVG file upload capabilities or implement additional security measures such as file type validation and content security policies until an update is available.