Google Fonts Plugin Puts Over 300,000 WordPress Sites At Risk From Online Attackers

If you click to purchase a product or service based on our independent recommendations and impartial reviews, we may receive a commission. Learn more

a graphic of security images and locks on a laptop
  • A Google Fonts plugin for WordPress, “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy”, has been found to have a severe vulnerability.
  • The plugin, which has been downloaded over 300,000 times, can give hackers access to entire directories and upload malicious scripts.

A Google Fonts plugin for WordPress blogs was found to have a major vulnerability, resulting in over 300,000 accounts being made vulnerable to hackers.

The plugin, “OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy”, optimizes Google Fonts to reduce loading while also making it GDPR compliant, making it useful for EU customers who wish to use Google Fonts.

However, on January 2nd, 2024, Wordfence published a report that the plugin had failed what is known as a capability check, which checks whether the user has access to the plugin, including up to the admin level. As the Wordfence report states, “This [now] makes it possible for unauthenticated attackers to update the plugin’s settings which can be used to inject cross-site scripting payloads and delete entire directories”

Cross-site scripting is a type of cyber attack in which malicious code is uploaded to the website and its server. This script then allows hackers to attack the browsers of any visiting user, gaining access to their personal information. Cross-site scripting attacks are among the most common – and effective – cyber-attacks affecting average users, accounting for over 40% of all cyber attacks in 2019.

This is especially egregious when you consider the mundanity of the plugin since most WordPress blogs would be eager to download Google Fonts for the simple variety in content, yet had no idea that they could now be targeted by ruthless hackers.

As of January 3rd, the plugin has been patched thanks to update 5.7.10, but it is crucial to always be wary of potential plugin vulnerabilities, as we reported a similar story last year.

More Information:

Written by:
headshot of Sam Jagger
Being a Writer for Website Builder Guide isn’t just typing words on a laptop. Each day, I’m finding new and innovative ways to help you get online in a mode you feel comfortable with. And it’s a task I do with enthusiasm and gusto. Not only do I have experience building with all the providers we talk about - creating websites such as this Strikingly demo - but we also have our wonderful, constantly updated research fielded by our researchers, so you can be reassured that what we say is an honest reflection of our professional opinions. I’ve written articles and featured guest posts for apps like UXPin on web design in the modern age, as well as answered over 100 user comments on the site and delved into the world of choosing a domain name and adding Bitcoin payments to your site in my own pitched articles. All of this is to say that when I want to get you online - I mean it! Outside the office, I have attended the eCommerce Expo and built up a ton of industry knowledge through talks, workshops, and guided learning sessions with noted experts. The internet is made for everyone, so come online and let us help you get there.

Leave a comment

Your email address will not be published. Required fields are marked *