Search criteria
4 vulnerabilities found for omgf by ffw
CVE-2021-24639 (GCVE-0-2021-24639)
Vulnerability from nvd – Published: 2021-09-20 10:06 – Updated: 2024-08-03 19:35
VLAI?
Title
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
Summary
The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | OMGF | Host Google Fonts Locally |
Affected:
4.5.4 , < 4.5.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OMGF | Host Google Fonts Locally",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.4",
"status": "affected",
"version": "4.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-20T10:06:45.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OMGF \u003c 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24639",
"STATE": "PUBLIC",
"TITLE": "OMGF \u003c 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OMGF | Host Google Fonts Locally",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.5.4",
"version_value": "4.5.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24639",
"datePublished": "2021-09-20T10:06:45.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24638 (GCVE-0-2021-24638)
Vulnerability from nvd – Published: 2021-09-20 10:06 – Updated: 2024-08-03 19:35
VLAI?
Title
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
Summary
The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | OMGF | Host Google Fonts Locally |
Affected:
4.5.4 , < 4.5.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OMGF | Host Google Fonts Locally",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.4",
"status": "affected",
"version": "4.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-20T10:06:43.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OMGF \u003c 4.5.4 - Unauthenticated Path Traversal in REST API",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24638",
"STATE": "PUBLIC",
"TITLE": "OMGF \u003c 4.5.4 - Unauthenticated Path Traversal in REST API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OMGF | Host Google Fonts Locally",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.5.4",
"version_value": "4.5.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24638",
"datePublished": "2021-09-20T10:06:43.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24639 (GCVE-0-2021-24639)
Vulnerability from cvelistv5 – Published: 2021-09-20 10:06 – Updated: 2024-08-03 19:35
VLAI?
Title
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
Summary
The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | OMGF | Host Google Fonts Locally |
Affected:
4.5.4 , < 4.5.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OMGF | Host Google Fonts Locally",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.4",
"status": "affected",
"version": "4.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-20T10:06:45.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OMGF \u003c 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24639",
"STATE": "PUBLIC",
"TITLE": "OMGF \u003c 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OMGF | Host Google Fonts Locally",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.5.4",
"version_value": "4.5.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24639",
"datePublished": "2021-09-20T10:06:45.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24638 (GCVE-0-2021-24638)
Vulnerability from cvelistv5 – Published: 2021-09-20 10:06 – Updated: 2024-08-03 19:35
VLAI?
Title
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
Summary
The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | OMGF | Host Google Fonts Locally |
Affected:
4.5.4 , < 4.5.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OMGF | Host Google Fonts Locally",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.4",
"status": "affected",
"version": "4.5.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "apple502j"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-20T10:06:43.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OMGF \u003c 4.5.4 - Unauthenticated Path Traversal in REST API",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24638",
"STATE": "PUBLIC",
"TITLE": "OMGF \u003c 4.5.4 - Unauthenticated Path Traversal in REST API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OMGF | Host Google Fonts Locally",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.5.4",
"version_value": "4.5.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "apple502j"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24638",
"datePublished": "2021-09-20T10:06:43.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}