CVE-2021-24782: 
WordPress vulnerability analysis and mitigation

The Flex Local Fonts WordPress plugin through version 1.0.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Vishal Mohan and was publicly disclosed on November 15, 2021. The issue exists in the Class Name field when adding a font, which lacks proper output escaping (WPScan).

The vulnerability stems from insufficient escaping of the Class Name field in the font addition functionality. This security flaw allows high-privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with high privileges to inject and execute malicious JavaScript code in the context of other users' browsers who access the plugin's settings page. The impact is limited to users with administrative access to the WordPress installation (WPScan).

As of the latest available information, there is no known fix for this vulnerability. Users are advised to consider using alternative font management plugins or implementing additional security controls to restrict access to the font management functionality (WPScan).