CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32625 – TS Webfonts for SAKURA <= 3.1.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-32625
20 Jul 2023 — Cross-site request forgery (CSRF) vulnerability in TS Webfonts for SAKURA 3.1.2 and earlier allows a remote unauthenticated attacker to hijack the authentication of a user and to change settings by having a user view a malicious page. The TS Webfonts for SAKURA plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.2. This is due to missing or incorrect nonce validation on the '2' and '3' actions of typesquare_admin_init() function. This makes it possible for ... • https://ja.wordpress.org/plugins/ts-webfonts-for-sakura/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32624 – TS Webfonts for SAKURA <= 3.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-32624
20 Jul 2023 — Cross-site scripting vulnerability in TS Webfonts for SAKURA 3.1.0 and earlier allows a remote unauthenticated attacker to inject an arbitrary script. The TS Webfonts for SAKURA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that wil... • https://ja.wordpress.org/plugins/ts-webfonts-for-sakura/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •