CVE-2026-8610
Authorization Bypass in TypeSquare Webfonts for ConoHa WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typesquare | webfonts_for_conoha | to 2.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with subscriber-level access to modify site-wide font settings without proper authorization checks. However, there is no information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized POST requests to wp-admin pages that attempt to modify the plugin's site-wide font settings, such as typesquare_auth, show_post_form, and typesquare_fonttheme.
Since the vulnerability allows authenticated users with subscriber-level access and above to bypass authorization, checking for unusual POST requests from such users is key.
Commands to detect this could include inspecting web server logs for POST requests to wp-admin pages with parameters related to the TypeSquare Webfonts plugin settings.
- Use grep or similar tools to search access logs for POST requests to wp-admin, e.g., `grep 'POST /wp-admin' /var/log/apache2/access.log`
- Filter logs for requests containing parameters like 'typesquare_auth', 'fontThemeUseType', 'show_post_form', or 'typesquare_fonttheme'.
- Monitor for POST requests without valid nonce tokens especially for fontThemeUseType values 1 and 3, which are vulnerable to CSRF.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the TypeSquare Webfonts for ConoHa plugin to a version later than 2.0.4 where the authorization bypass is fixed.
If an update is not immediately possible, restrict access to wp-admin pages to trusted users only and monitor for suspicious POST requests attempting to change font settings.
Implement additional security measures such as web application firewalls (WAF) to block unauthorized POST requests and enforce nonce verification for sensitive actions.
Educate users with subscriber-level access and above about the risk and encourage minimal privilege use.
Can you explain this vulnerability to me?
The TypeSquare Webfonts for ConoHa plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 2.0.4. This occurs because the plugin does not properly verify whether a user is authorized to perform certain actions.
As a result, authenticated users with subscriber-level access or higher can modify site-wide font settings by submitting a POST request to any wp-admin page.
Additionally, for certain fontThemeUseType values (1 and 3), there is no nonce verification, which makes those cases vulnerable to cross-site request forgery (CSRF) attacks.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access (subscriber and above) to change site-wide font settings without proper authorization.
Such unauthorized changes could affect the appearance and branding of the website, potentially leading to a degraded user experience or misuse of the siteβs visual identity.
Moreover, the lack of nonce verification for certain actions exposes the site to cross-site request forgery attacks, which could be exploited to perform unwanted changes without the user's consent.