CVE-2021-24638

Name of the Vulnerable Software and Affected Versions OMGF WordPress plugin versions prior to 4.5.4

Description The issue allows unauthenticated users to perform path traversal and overwrite arbitrary CSS files with Google Fonts CSS, or download fonts uploaded on the Google Fonts website, due to the lack of escaping or validation of the handle parameter in the REST API.

Recommendations For OMGF WordPress plugin versions prior to 4.5.4, update to version 4.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API or disabling the handle parameter until a patch is applied.