CVE-2021-24977: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24977 vulnerability affects the WordPress plugin 'Use Any Font' versions below 6.2.1. This security flaw is characterized by an unauthenticated arbitrary CSS appending issue, where the plugin lacks proper authorization checks when assigning fonts. The vulnerability was publicly disclosed on January 31, 2022, and was assigned a high severity CVSS score of 8.8 (WPScan).

The vulnerability stems from the absence of authorization checks in the font assignment functionality, allowing unauthenticated users to send arbitrary CSS that gets processed by the frontend for all users. The issue is compounded by inadequate sanitization and escaping in the backend, which can lead to Stored XSS vulnerabilities. The vulnerability is classified under CWE-862 (Missing Authorization) and falls into the OWASP Top 10 category A5: Broken Access Control (WPScan).

When exploited, this vulnerability allows attackers to inject arbitrary CSS code that affects all users visiting the website. Additionally, due to the lack of proper backend sanitization, attackers can potentially execute stored Cross-Site Scripting (XSS) attacks, particularly when viewing the Assign Font dashboard (WPScan).

The vulnerability has been patched in version 6.2.1 of the Use Any Font plugin. Website administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).