CVE-2023-6600
📋 TL;DR
This vulnerability in the OMGF WordPress plugin allows unauthenticated attackers to modify plugin settings and inject stored XSS payloads due to missing capability checks. It affects all versions up to 5.7.9, enabling attackers to potentially delete directories and compromise websites. WordPress sites using the vulnerable plugin are at risk.
💻 Affected Systems
- OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. WordPress Plugin
📦 What is this software?
Omgf by Daan
⚠️ Risk & Real-World Impact
Worst Case
Complete website takeover via stored XSS leading to admin account compromise, data theft, and directory deletion causing site destruction.
Likely Case
Stored XSS injection leading to session hijacking, defacement, or malware distribution to site visitors.
If Mitigated
Limited impact if proper WAF rules block unauthenticated admin requests and input sanitization is enforced elsewhere.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. Multiple patch attempts indicate active exploitation attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.10
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3009453/host-webfonts-local
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.' 4. Click 'Update Now' if available, or delete and reinstall version 5.7.10+. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate host-webfonts-local
WAF Rule Block
allBlock unauthenticated POST requests to admin_init endpoints
🧯 If You Can't Patch
- Remove plugin entirely and use alternative Google Fonts optimization solution
- Implement strict WAF rules blocking all unauthenticated admin area access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → OMGF plugin version. If version ≤5.7.9, vulnerable.Check Version:
wp plugin get host-webfonts-local --field=versionVerify Fix Applied:
Confirm plugin version is 5.7.10 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /wp-admin/admin-post.php with omgf_update_settings action
- Unexpected plugin setting changes in database
Network Indicators:
- HTTP POST requests to admin endpoints from unauthenticated sources
- Suspicious JavaScript injection in plugin settings
SIEM Query:
source="wordpress.log" AND ("admin-post.php" AND "omgf_update_settings") AND status!=401🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3008876%40host-webfonts-local&new=3008876%40host-webfonts-local&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009010%40host-webfonts-local&new=3009010%40host-webfonts-local&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009453%40host-webfonts-local&new=3009453%40host-webfonts-local&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3008876%40host-webfonts-local&new=3008876%40host-webfonts-local&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009010%40host-webfonts-local&new=3009010%40host-webfonts-local&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009453%40host-webfonts-local&new=3009453%40host-webfonts-local&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c?source=cve
