CVE-2021-24638
CRITICALOMGF < 4.5.4 - Unauthenticated Path Traversal and Arbitrary File Write via REST API Handle Parameter
Title source: llmDescription
The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/c783a746-f1fe-4d68-9d0a-477de5dbb35c
Scores
CVSS v3
9.1
EPSS
0.0176
EPSS Percentile
75.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
ffw/omgf
< 4.5.4
Published
Sep 20, 2021
Tracked Since
Feb 18, 2026