Published:2023/07/20  Last Updated:2023/07/20

JVN#90560760
Multiple vulnerabilities in WordPress Plugin "TS Webfonts for SAKURA"

Overview

WordPress Plugin "TS Webfonts for SAKURA" provided by SAKURA internet Inc. contains multiple vulnerabilities.

Products Affected

CVE-2023-32624

  • TS Webfonts for SAKURA 3.1.0 and earlier
CVE-2023-32625
  • TS Webfonts for SAKURA 3.1.2 and earlier

Description

WordPress Plugin "TS Webfonts for SAKURA" provided by SAKURA internet Inc. contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79) - CVE-2023-32624
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • Cross-site request forgery (CWE-352) - CVE-2023-32625
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin - CVE-2023-32624
  • If a user with the administrative privilege views a malicious page while logging in to the WordPress using the plugin, settings may be changed without user's intention - CVE-2023-32625

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer addressed these vulnerabilities in the following versions:

  • CVE-2023-32624:
    • TS Webfonts for SAKURA 3.1.1
  • CVE-2023-32625:
    • TS Webfonts for SAKURA 3.1.3

Vendor Status

Vendor Link
SAKURA internet Inc. TS Webfonts for SAKURA (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

SAKURA internet Inc. reported these vulnerabilities to IPA to notify users of the solutions through JVN. JPCERT/CC and SAKURA internet Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-32624
CVE-2023-32625
JVN iPedia JVNDB-2023-000070