CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5823 – WordPress TK Google Fonts GDPR Compliant Plugin <= 2.2.11 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-5823
Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <= 2.2.11 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento ThemeKraft TK Google Fonts GDPR Compliant en versiones <= 2.2.11. The TK Google Fonts GDPR Compliant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tk_google_fonts_add_font function in all versions up to, and including, 2.2.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add arbitrary Google fonts. We believe CVE-2023-5823 may be misreported as a CSRF as there is no nonce check that was added in 2.2.12, but instead a capability check. • https://patchstack.com/database/vulnerability/tk-google-fonts/wordpress-tk-google-fonts-gdpr-compliant-plugin-2-2-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •