Beta

Report

Flex Local Fonts <= 1.0.0 is vulnerable to Stored Cross-Site-Scripting (XSS) vulnerability

Administrator
Published
2021-11-14

The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE

https://www.cve.org/CVERecord?id=CVE-2021-24782

CVSS

Score:4.8

Severity:Medium

Version: 1.0.0

The plugin vendor has not patched this vulnerability at the moment.