CVE-2023-6600 is a high-severity vulnerability affecting the WordPress plugin "OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy." developed by daanvandenbergh. The vulnerability arises from a missing authorization check (CWE-862) in the update_settings() function, which is hooked to the admin_init action. This flaw allows unauthenticated attackers to modify plugin settings without any privilege verification. Exploitation can lead to stored Cross-Site Scripting (XSS) (CWE-79) attacks, where malicious scripts are injected and persist within the plugin's configuration, potentially affecting site visitors and administrators. Additionally, attackers can delete entire directories, causing significant disruption to the website's functionality and availability. The vulnerability affects all versions up to and including 5.7.9, with version 5.7.10 considered the first sufficiently patched release after multiple attempted fixes. The CVSS v3.1 base score is 8.6, reflecting the vulnerability's network exploitable nature (no authentication or user interaction required), low attack complexity, and high impact on availability, with moderate impacts on confidentiality and integrity. Although no known exploits are currently reported in the wild, the ease of exploitation and potential damage make this a critical concern for WordPress sites using this plugin. The vulnerability is particularly dangerous because it allows attackers to bypass normal administrative controls, leading to unauthorized data modification, persistent XSS, and destructive actions such as directory deletion.

For European organizations, the impact of CVE-2023-6600 can be substantial. Many European companies and institutions rely on WordPress for their websites, including governmental, educational, and commercial entities. The OMGF plugin is designed to help comply with GDPR/DSGVO by managing Google Fonts in a privacy-conscious manner, making it popular among EU-based sites aiming for regulatory compliance. Exploitation of this vulnerability could lead to unauthorized changes in website behavior, injection of malicious scripts that compromise user data or deliver malware, and potential site outages due to directory deletions. This not only risks data confidentiality and integrity but also availability, which can disrupt business operations and damage reputation. Furthermore, GDPR mandates strict data protection and breach notification requirements; a successful attack exploiting this vulnerability could trigger regulatory scrutiny and financial penalties. The stored XSS vector could also be leveraged to steal session cookies or perform actions on behalf of legitimate users, increasing the risk of further compromise. Given the plugin's role in GDPR compliance, an attack could ironically undermine the very data protection goals it aims to support.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice: 1) Upgrade the OMGF plugin to version 5.7.10 or later, which contains the necessary authorization checks and fixes. 2) Conduct a thorough audit of WordPress user roles and permissions to ensure that only trusted administrators have access to plugin settings. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the update_settings() endpoint or admin_init hooks. 4) Regularly scan websites for stored XSS payloads and unauthorized changes, using automated security tools tailored for WordPress environments. 5) Backup website files and databases frequently to enable quick recovery in case of directory deletion or other destructive actions. 6) Monitor logs for unusual activity related to plugin settings changes, especially from unauthenticated sources. 7) Educate site administrators about this vulnerability and the importance of timely updates and security hygiene. 8) Consider isolating or sandboxing critical WordPress instances that handle sensitive data to limit the blast radius of potential exploitation.