CVE-2024-8920 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Fonto – Custom Web Fonts Manager plugin for WordPress. This vulnerability affects all versions up to and including 1.2.1. The root cause is insufficient input sanitization and output escaping of SVG file uploads within the plugin. Authenticated attackers with Author-level or higher privileges can upload crafted SVG files containing malicious JavaScript payloads. When any user, including administrators or visitors, accesses a page that loads the malicious SVG, the embedded script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond accessing the affected page and does not require elevated privileges beyond Author-level access, which is a relatively low bar in WordPress environments. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the widespread use of WordPress and the plugin’s functionality. The vulnerability highlights the importance of proper input validation and output encoding, especially for user-uploaded content like SVG files, which can contain executable scripts.

The primary impact of this vulnerability is the potential for stored XSS attacks that can compromise the confidentiality and integrity of user data. Attackers can hijack user sessions, steal cookies, or perform unauthorized actions on behalf of victims, including administrators. This can lead to further compromise of the WordPress site, including privilege escalation, data leakage, or defacement. Since the vulnerability requires only Author-level access, attackers who gain such privileges through other means can leverage this flaw to escalate their impact. The availability of the site is not directly affected, but the reputational damage and potential data breaches can have severe consequences for organizations. Given WordPress’s extensive use worldwide, especially among small to medium enterprises and content-heavy websites, the threat surface is broad. Organizations relying on this plugin for custom font management are particularly at risk, and failure to mitigate could lead to targeted attacks or automated exploitation once public exploits emerge.

Organizations should immediately audit their WordPress installations to identify the presence of the Fonto – Custom Web Fonts Manager plugin and its version. Until an official patch is released, administrators should restrict Author-level privileges to trusted users only and consider temporarily disabling or removing the plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious SVG payloads can provide interim protection. Additionally, administrators should monitor uploaded SVG files for suspicious content and sanitize or remove any untrusted SVG uploads. Enforcing strict Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution contexts. Regularly updating WordPress core and plugins, and subscribing to vulnerability advisories for this plugin, will ensure timely application of patches once available. Finally, educating users about the risks of privilege misuse and maintaining strong access controls will reduce the likelihood of exploitation.