Published:2023/07/20 Last Updated:2023/07/20
JVN#90560760
Multiple vulnerabilities in WordPress Plugin "TS Webfonts for SAKURA"
Overview
WordPress Plugin "TS Webfonts for SAKURA" provided by SAKURA internet Inc. contains multiple vulnerabilities.
Products Affected
CVE-2023-32624
- TS Webfonts for SAKURA 3.1.0 and earlier
- TS Webfonts for SAKURA 3.1.2 and earlier
Description
WordPress Plugin "TS Webfonts for SAKURA" provided by SAKURA internet Inc. contains multiple vulnerabilities listed below.
- Cross-site scripting (CWE-79) - CVE-2023-32624
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Cross-site request forgery (CWE-352) - CVE-2023-32625
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
- An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin - CVE-2023-32624
- If a user with the administrative privilege views a malicious page while logging in to the WordPress using the plugin, settings may be changed without user's intention - CVE-2023-32625
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer addressed these vulnerabilities in the following versions:
- CVE-2023-32624:
- TS Webfonts for SAKURA 3.1.1
- CVE-2023-32625:
- TS Webfonts for SAKURA 3.1.3
Vendor Status
Vendor | Link |
SAKURA internet Inc. | TS Webfonts for SAKURA (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
SAKURA internet Inc. reported these vulnerabilities to IPA to notify users of the solutions through JVN. JPCERT/CC and SAKURA internet Inc. coordinated under the Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2023-32624 |
CVE-2023-32625 |
|
JVN iPedia |
JVNDB-2023-000070 |