CVE-2024-8920: 
WordPress vulnerability analysis and mitigation

The Fonto – Custom Web Fonts Manager plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-8920) that affects all versions up to and including 1.2.1. The vulnerability was discovered and disclosed on October 17, 2024 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping when handling SVG file uploads. This allows authenticated users with Author-level privileges or higher to inject arbitrary web scripts through SVG files. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows attackers to inject malicious scripts that will execute whenever a user accesses the compromised SVG file. This can lead to the execution of arbitrary JavaScript code in users' browsers who view the affected pages (NVD).

The vulnerability has been patched in version 1.2.2 of the Fonto plugin. The update includes security improvements to sanitize SVG uploads and prevent XSS vulnerabilities. Users are advised to update to the latest version immediately (WordPress Plugin).