Login Sign Up

CVE-2024-43301

7.1 HIGH
Cross-Site Scripting CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the Fonts Plugin for WordPress allows attackers to perform stored cross-site scripting (XSS) attacks. This affects WordPress sites using the Fonts Plugin (formerly Olympus Google Fonts) from all versions through 3.7.7. Attackers can trick authenticated administrators into executing malicious actions that inject persistent scripts.

💻 Affected Systems

Products:
  • WordPress Fonts Plugin (formerly Olympus Google Fonts)
Versions: All versions through 3.7.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled. Attack requires tricking authenticated admin users.

📦 What is this software?

Fonts by Fontsplugin

View all CVEs affecting Fonts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through persistent XSS payloads that steal admin credentials, deface websites, or install backdoors.

🟠

Likely Case

Attackers inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs unauthorized actions on behalf of authenticated users.

🟢

If Mitigated

Limited impact with proper CSRF protections and content security policies in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF to XSS chain requires social engineering to trick authenticated users. Exploit details are publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.8 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/olympus-google-fonts/wordpress-fonts-plugin-3-7-7-cross-site-request-forgery-csrf-to-stored-xssvulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Fonts' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.7.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Fonts plugin until patched.

wp plugin deactivate fonts

Implement CSRF Tokens

all

Add CSRF protection to WordPress forms if custom implementation is possible.

🧯 If You Can't Patch

  • Restrict admin access to trusted networks only
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Fonts plugin version ≤3.7.7

Check Version:

wp plugin list --name=fonts --field=version

Verify Fix Applied:

Confirm Fonts plugin version is 3.7.8 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin-ajax.php with font-related actions
  • Unexpected JavaScript injection in plugin settings

Network Indicators:

  • CSRF attacks originating from external domains targeting admin endpoints

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action="fonts_*")

📊 Metadata

CVE ID: CVE-2024-43301
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-352
Published: August 26, 2024
Last Updated: January 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43301, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)