Security Advisory 2024-001

Release Date:

Vulnerability in Wordpress Google Fonts Plugin



  • 03/01/2024 --- v1.0 -- Initial publication


On January 2, 2024, an unauthenticated Stored Cross-Site Scripting (XSS) and directory deletion vulnerability has been discovered in the "OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy." plugin for WordPress. This vulnerability, identified as CVE-2023-6600 (CVSS score of 8.6)[1], may allow unauthenticated attackers to update the plugin's settings and inject malicious scripts into affected sites [2].

This vulnerability could affect sites that have the OMGF plugin installed and configured, which is estimated to be over 300,000 sites [3].

Technical Details

The OMGF plugin vulnerability occurs due to a missing capability check on the update_settings() function hooked via admin_init. This allows unauthenticated attackers to modify the plugin's settings, leading to Stored Cross-Site Scripting and directory deletion.

Affected Products

"OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy." plugin version 5.7.9 and below.


To mitigate this vulnerability, users should update the vulnerable plugin to at least version 5.7.10 as it contains the necessary fixes.

Users are also advised to monitor their WordPress sites for any signs of unauthorised changes, such as injected scripts or deleted directories.





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.