CVE-2023-6600: Over 300,000 Sites at Risk from OMGF Plugin XSS Flaw

The popular “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.” plugin, a staple in over 300,000 WordPress sites, has been hit by a formidable security flaw, identified as CVE-2023-6600. With a CVSS score of 8.6, this vulnerability exposes an attack vector on many websites, leaving them vulnerable to unauthenticated attacks.

This vulnerability manifests as an unauthenticated Stored Cross-Site Scripting (XSS) and directory deletion issue. For the uninitiated, XSS attacks enable attackers to inject malicious scripts into websites, compromising the integrity and safety of the site and its visitors. In this particular instance, the flaw lies in the absence of a crucial capability check within the `update_settings()` function of the plugin. This oversight grants attackers the ability to modify the plugin’s settings without authorization, triggering Stored XSS and potentially leading to directory deletion.

OMGF is designed with performance and user-friendliness at its core. Utilizing the Google Fonts API, it adeptly caches the fonts used by your theme and plugins, aiming to minimize DNS requests and boost your site’s speed. The CVE-2023-6600 flaw affects the “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.” plugin version 5.7.9 and below.

The discovery of this vulnerability demands immediate action. To safeguard your site, it’s crucial to update the OMGF plugin to version 5.7.10 or higher, as these versions contain the necessary fixes to patch the security gap. But don’t stop there. It’s equally important to regularly monitor your WordPress site for any signs of unauthorized changes.