Headline
CVE-2023-32625: Multiple vulnerabilities in WordPress Plugin "TS Webfonts for SAKURA"
Cross-site request forgery (CSRF) vulnerability in TS Webfonts for SAKURA 3.1.2 and earlier allows a remote unauthenticated attacker to hijack the authentication of a user and to change settings by having a user view a malicious page.
Published:2023/07/20 Last Updated:2023/07/20
Overview
WordPress Plugin “TS Webfonts for SAKURA” provided by SAKURA internet Inc. contains multiple vulnerabilities.
Products Affected
CVE-2023-32624
- TS Webfonts for SAKURA 3.1.0 and earlier
CVE-2023-32625
- TS Webfonts for SAKURA 3.1.2 and earlier
Description
WordPress Plugin “TS Webfonts for SAKURA” provided by SAKURA internet Inc. contains multiple vulnerabilities listed below.
Cross-site scripting (CWE-79) - CVE-2023-32624
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 6.1
CVSS v2
AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score: 2.6
Cross-site request forgery (CWE-352) - CVE-2023-32625
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 4.3
CVSS v2
AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score: 2.6
Impact
- An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin - CVE-2023-32624
- If a user with the administrative privilege views a malicious page while logging in to the WordPress using the plugin, settings may be changed without user’s intention - CVE-2023-32625
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer addressed these vulnerabilities in the following versions:
- CVE-2023-32624:
- TS Webfonts for SAKURA 3.1.1
- CVE-2023-32625:
- TS Webfonts for SAKURA 3.1.3
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
SAKURA internet Inc. reported these vulnerabilities to IPA to notify users of the solutions through JVN. JPCERT/CC and SAKURA internet Inc. coordinated under the Information Security Early Warning Partnership.
Other Information