WordPress Google Fonts Plugin Vulnerability: Impacts Up to +300,000 Sites

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Vulnerability In The WordPress Google Fonts Plugin

A WordPress Google Fonts Plugin vulnerability lets unauthorized users create and remove directories and launch cross-site scripting attacks.

Millions of websites all around the world utilize WordPress as their content management system (CMS). It offers a wide range of plugins to expand its functionality and customize the user experience. Nevertheless, some plugins have been developed differently regarding security.

More than 300,000 websites may be at risk of security breaches due to a bug that was recently discovered in a WordPress plugin for Google Font optimization.

By outlining the potential consequences of this security flaw and offering practical guidance on protecting your WordPress website, this blog post aims to raise awareness of it and emphasize how serious it is.

The Vulnerability

The “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.” plugin, intended to maximize Google Font use and assure GDPR compliance, is impacted by the abovementioned problem. The plugin is especially prevalent among users. Unfortunately, a security flaw in its code lets unauthorized attackers use the plugin’s functionalities to leverage them for harm.

The Google Fonts Plugin vulnerability exposes potential vulnerabilities that might jeopardize user data and the integrity of the website.

The fact that the vulnerability permits unauthenticated attackers makes it very problematic. “Unauthenticated” indicates that an attacker can access the website without credentials or authentication.

It is stated that the vulnerability facilitates the uploading of Cross-Site Scripting (XSS) payloads and allows unauthenticated directory removal.

A malicious script can be uploaded to a website server to remotely attack any visitor’s browser. This form of attack is known as cross-site scripting or XSS. By doing so, an adversary gains access to a user’s cookies or session data and takes over their privileges as the user viewing the website.

The Vulnerability’s Primary Cause

Researchers at Wordfence have determined that the vulnerability stems from the absence of a capability check, a security feature that confirms a user’s access to functionalities within a plugin. 

The vulnerability in the Google Fonts plugin is primarily caused by an incomplete capability check in the “update_settings()” function, which is connected through “admin_init“.

Capability checking” is crucial for granting rights to users or user roles and preventing unauthorized access to significant website performance, according to the official WordPress developer page for plugin developers.

Although earlier plugin versions attempted to patch the security hole, Wordfence further states that version 5.7.10 is considered the most secure.

According to Wordfence’s vulnerability notification, versions 5.7.9 and higher are susceptible to stored Cross-Site Scripting and unauthorized data alteration.


There are serious repercussions from this vulnerability. Unauthenticated attackers could use the vulnerability to erase whole directories from a website’s server, leading to data loss and service interruption. 

Up to 300,000 websites that use the Google Fonts optimization plugin might have their security seriously jeopardized by this issue.

Moreover, the capacity to upload XSS payloads makes it possible for various malicious actions, such as collecting user session data and taking over the rights of specific users, to occur.

Securing Your WordPress Website

Website managers and owners must respond right away, given the seriousness of the vulnerability. There might be adverse effects on the impacted website and its users if this issue is not resolved quickly. 

Maintaining awareness and putting the required security measures in place are critical to reducing the hazards related to this vulnerability.

Ways to Do to Protect Your Website

You can lower the dangers and guarantee the security of your online presence by taking the measures listed below.

Know the Significance of Regular Updates

Emphasize the importance of maintaining the latest versions of WordPress, plugins, and themes to ensure that the security updates have been applied. Encourage site managers to remain vigilant and proactive to maintain a secure online presence.

Put Web Application Firewall Security into Action

You may provide your WordPress website an additional degree of protection by using a Web Application Firewall. It filters out possible risks and prevents suspicious activity from functioning as a barrier between your website and harmful traffic.

Making Your Website Future-Safe:

Talk about the bigger picture of website security and provide advice on how to fortify WordPress websites against upcoming threats. Promote a proactive approach instead of a reactive security strategy.

Carry out a Security Audit

To find any potential vulnerabilities, you must do a thorough security audit on your WordPress website. Use trustworthy security plugins or consult with cybersecurity experts to determine the security posture of your website. All installed plugins, themes, and core files should be carefully inspected as part of this audit to ensure there are no known vulnerabilities.

Users Should Learn Safe Browsing Techniques

Making sure visitors to your website understand safe surfing techniques will significantly lower the likelihood that they will become targets of attacks.

Teach your audience the value of updating their devices’ browsers, avoiding suspicious downloads and links, and using caution when inputting personal information on websites. Users can experience a safer online environment if you cultivate a culture of cybersecurity knowledge.


The vulnerability found in the WordPress Google Fonts Plugin is a clear reminder of how constantly changing internet dangers may be. WordPress site owners may strengthen their online presence against potential vulnerabilities by comprehending the problem, evaluating its impact, and putting strong security measures in place.

Keep yourself conscious, take swift action, and give yourself the tools to navigate the ever-changing website security landscape confidently.

WordPress Technical Assistance To Protect your Website from any Security Concerns.

We have a thorough strategy that addresses every aspect of security, from keeping an eye on activity on your website to spotting fraudulent code and stopping brute-force attacks. Our team of professionals will assist in maintaining the confidentiality and security of your website, regardless of whether it is an e-commerce or membership site. Browse Our WordPress Support Services

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.