CVE-2023-34180: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in KAPlugins Google Fonts For WordPress plugin versions 3.0.0 and earlier. The vulnerability was assigned CVE-2023-34180 and was publicly disclosed on May 30, 2023. The affected software is the free-google-fonts WordPress plugin (Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue (CWE-79). The plugin fails to properly sanitize and escape certain parameters before outputting them back in the page. The vulnerability has received a CVSS v3.1 base score of 7.1 (High) from Patchstack and 6.1 (Medium) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (WPScan, NVD).

The vulnerability could be exploited against high-privilege users such as administrators. A successful exploitation could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the site (Patchstack).

The vulnerability has been fixed in version 3.0.1 of the Google Fonts For WordPress plugin. Users are advised to update to version 3.0.1 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).