CVE-2021-24638

OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API

EPSS 1.8%CWE-22

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Sep 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.

Affected products

Unknown · OMGF | Host Google Fonts Locally

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c