CVE-2023-6600: 
WordPress vulnerability analysis and mitigation

The OMGF (GDPR/DSGVO Compliant, Faster Google Fonts) WordPress plugin has been identified with a critical security vulnerability (CVE-2023-6600) discovered on January 2, 2024. This vulnerability affects versions up to and including 5.7.9, impacting over 300,000 WordPress sites. The plugin, designed to optimize Google Fonts usage and ensure GDPR compliance, contains a missing capability check that exposes sites to potential attacks (CERT EU, Security Online).

The vulnerability stems from a missing capability check in the update_settings() function hooked via admin_init, allowing unauthorized modification of plugin settings. The flaw has received a CVSS score of 8.6 (High), with two different vector strings assessed: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NIST) and CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H (Wordfence). The vulnerability is classified under CWE-79 (Cross-site Scripting) and CWE-862 (Missing Authorization) (NVD, WPScan).

The vulnerability enables unauthenticated attackers to modify plugin settings, potentially leading to two significant impacts: the injection of malicious cross-site scripting (XSS) payloads and the unauthorized deletion of entire directories. This poses a serious risk to website integrity and security, potentially affecting the more than 300,000 sites using the plugin (Security Online).

Site administrators are strongly advised to update the OMGF plugin to version 5.7.10 or higher, which contains the necessary security fixes. Additionally, it is recommended to monitor WordPress sites for any signs of unauthorized changes, such as injected scripts or deleted directories (CERT EU).