Google Fonts Plugin Puts Over 300,000 WordPress Sites At Risk From Online Attackers
Our independent research projects and impartial reviews are funded in part by affiliate commissions, at no extra cost to our readers. Learn more
- A Google Fonts plugin for WordPress, “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy”, has been found to have a severe vulnerability.
- The plugin, which has been downloaded over 300,000 times, can give hackers access to entire directories and upload malicious scripts.
A Google Fonts plugin for WordPress blogs was found to have a major vulnerability, resulting in over 300,000 accounts being made vulnerable to hackers.
The plugin, “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy”, optimizes Google Fonts to reduce loading while also making it GDPR compliant, making it useful for EU customers who wish to use Google Fonts.
However, on January 2nd, 2024, Wordfence published a report that the plugin had failed what is known as a capability check, which checks whether the user has access to the plugin, including up to the admin level. As the Wordfence report states, “This [now] makes it possible for unauthenticated attackers to update the plugin’s settings which can be used to inject cross-site scripting payloads and delete entire directories”
Cross-site scripting is a type of cyber attack in which malicious code is uploaded to the website and its server. This script then allows hackers to attack the browsers of any visiting user, gaining access to their personal information. Cross-site scripting attacks are among the most common – and effective – cyber-attacks affecting average users, accounting for over 40% of all cyber attacks in 2019.
This is especially egregious when you consider the mundanity of the plugin since most WordPress blogs would be eager to download Google Fonts for the simple variety in content, yet had no idea that they could now be targeted by ruthless hackers.
As of January 3rd, the plugin has been patched thanks to update 5.7.10, but it is crucial to always be wary of potential plugin vulnerabilities, as we reported a similar story last year.
More Information:
- Secure your WordPress website today with our How To Secure A WordPress Website guide.
Leave a comment