CVE-2021-24638

CVE-2021-24638: OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API

Vendor Unknown
Product OMGF | Host Google Fonts Locally
Weakness CWE-22 · Path traversal
Published September 20, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.

Key dates

02Disclosure timeline

September 20, 2021 CVE published
August 3, 2024 Record updated