{"containers": {"cna": {"affected": [{"product": "Use Any Font | Custom Font Uploader", "vendor": "Unknown", "versions": [{"lessThan": "6.2.1", "status": "affected", "version": "6.2.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Krzysztof Zaj\u0105c"}], "descriptions": [{"lang": "en", "value": "The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-28T09:06:26", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75"}], "source": {"discovery": "EXTERNAL"}, "title": "Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24977", "STATE": "PUBLIC", "TITLE": "Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Use Any Font | Custom Font Uploader", "version": {"version_data": [{"version_affected": "<", "version_name": "6.2.1", "version_value": "6.2.1"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Krzysztof Zaj\u0105c"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:49:14.458Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24977", "datePublished": "2022-02-28T09:06:26", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:49:14.458Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dineshkarki:use_any_font:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B16CE089-70E9-4353-BA15-252CB77C8356", "versionEndExcluding": "6.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues"}, {"lang": "es", "value": "El plugin Use Any Font | Custom Font Uploader de WordPress versiones anteriores a 6.2.1, no presenta ninguna comprobaci\u00f3n de autorizaci\u00f3n cuando se asigna una fuente, permitiendo a usuarios no autenticados enviar CSS arbitrarios que luego ser\u00e1n procesados por el frontend para todos los usuarios. Debido a una falta de saneo y escape en el backend, tambi\u00e9n podr\u00eda conllevar a problemas de tipo XSS Almacenado."}], "id": "CVE-2021-24977", "lastModified": "2026-01-13T20:33:51.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-28T09:15:08.337", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "contact@wpscan.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}