WP-Safety
CVE-2026-8610

TypeSquare Webfonts for ConoHa <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via 'fontThemeUseType' Parameter

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.4
PublishedMay 19, 2026
Last updatedMay 20, 2026
Affected plugints-webfonts-for-conoha
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-8610 ## 1. Vulnerability Summary The **TypeSquare Webfonts for ConoHa** plugin (versions <= 2.0.4) contains a missing authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to modify site-wide plugin settings. …

Show full research plan

Exploitation Research Plan - CVE-2026-8610

1. Vulnerability Summary

The TypeSquare Webfonts for ConoHa plugin (versions <= 2.0.4) contains a missing authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to modify site-wide plugin settings. The vulnerability exists because the plugin's settings update logic, likely hooked to admin_init, fails to verify the user's capabilities (e.g., manage_options) before updating options in the database. Additionally, certain logic branches (where fontThemeUseType is 1 or 3) skip nonce verification entirely, making the plugin also vulnerable to Cross-Site Request Forgery (CSRF).

2. Attack Vector Analysis

  • Endpoint: Any page within the WordPress administrative interface (e.g., /wp-admin/index.php, /wp-admin/admin-post.php).
  • Action Hook: admin_init (inferred from the "any wp-admin page" description).
  • Vulnerable Parameters: fontThemeUseType, show_post_form, typesquare_fonttheme.
  • Authentication: Authenticated (Subscriber or above).
  • Preconditions: The plugin must be active. No specific plugin configuration is required to trigger the vulnerability.

3. Code Flow (Inferred)

  1. An authenticated user (e.g., Subscriber) sends a POST request to /wp-admin/index.php.
  2. WordPress initializes the admin environment, triggering the admin_init hook.
  3. The plugin's handler (e.g., TypeSquare_Webfonts_Admin::save_settings or similar) executes.
  4. The handler checks for the presence of the fontThemeUseType parameter in $_POST.
  5. Authorization Failure: The handler does not call current_user_can( 'manage_options' ).
  6. Nonce Bypass: If $_POST['fontThemeUseType'] is set to 1 or 3, the code branches away from or skips the check_admin_referer() call.
  7. The plugin proceeds to call update_option() for:
    • typesquare_auth (using the value from fontThemeUseType)
    • show_post_form
    • typesquare_fonttheme

4. Nonce Acquisition Strategy

According to the vulnerability description:

  • For fontThemeUseType values 1 and 3, no nonce verification is performed.
  • Strategy: We will use fontThemeUseType=1 or fontThemeUseType=3 in our exploit to bypass the need for a nonce entirely. This confirms both the Authorization Bypass and the CSRF component.

If a nonce were required for other values, the strategy would be:

  1. Navigate to the plugin settings page: /wp-admin/options-general.php?page=ts-webfonts-for-conoha (inferred slug).
  2. Use browser_eval to extract the nonce from the form: browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value").

5. Exploitation Strategy

We will perform a POST request as a Subscriber user to modify the plugin's settings.

Request Details

  • Method: POST
  • URL: {{BASE_URL}}/wp-admin/index.php
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • Cookie: [Subscriber Session Cookies]
  • Body Parameters:
    • fontThemeUseType: 1 (Triggers the nonce-less branch and sets typesquare_auth)
    • show_post_form: 1
    • typesquare_fonttheme: vulnerable_theme_modified

Steps

  1. Log in as a Subscriber user via the browser_navigate and browser_type tools.
  2. Capture the session cookies.
  3. Use http_request to send the malicious POST payload.
  4. Verify the change using WP-CLI.

6. Test Data Setup

  1. Install Plugin: Ensure ts-webfonts-for-conoha version 2.0.4 is installed and active.
  2. Create User: 
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Check Initial State:
    wp option get typesquare_auth
wp option get show_post_form
wp option get typesquare_fonttheme

7. Expected Results

  • The http_request should return a 200 OK or 302 Redirect.
  • The WordPress database options typesquare_auth, show_post_form, and typesquare_fonttheme will be updated to the values provided in the POST request.

8. Verification Steps

After the exploit attempt, run the following WP-CLI commands:

  1. Verify typesquare_auth:
    wp option get typesquare_auth
# Expected: 1
  2. Verify show_post_form:
    wp option get show_post_form
# Expected: 1
  3. Verify typesquare_fonttheme:
    wp option get typesquare_fonttheme
# Expected: vulnerable_theme_modified

9. Alternative Approaches

If sending the request to /wp-admin/index.php does not trigger the admin_init logic (e.g., if the plugin checks for a specific page slug), target the settings page directly:

  • URL: {{BASE_URL}}/wp-admin/options-general.php?page=ts-webfonts-for-conoha

If fontThemeUseType=1 fails to trigger the settings update, try fontThemeUseType=3. Both are identified as skipping nonce checks.

If the settings are only updated if a specific "submit" parameter is present (common in WordPress plugins), add an inferred submit parameter:

  • submit=Save+Changes or typesquare_submit=1.
Research Findings
Static analysis — not yet PoC-verified

Summary

The TypeSquare Webfonts for ConoHa plugin fails to perform authorization checks and, in specific cases, nonce validation when saving settings via admin hooks. This allows authenticated subscribers to modify site-wide configurations, including authentication settings and font themes, either directly or via Cross-Site Request Forgery (CSRF).

Vulnerable Code

// Inferred from plugin logic described in research plan
// ts-webfonts-for-conoha.php (or admin handler)

public function save_settings() {
    if (isset($_POST['fontThemeUseType'])) {
        $use_type = $_POST['fontThemeUseType'];

        // Vulnerability 1: Missing current_user_can('manage_options') check
        
        // Vulnerability 2: Conditional nonce bypass for values 1 and 3
        if ($use_type != '1' && $use_type != '3') {
            if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'typesquare_settings')) {
                return;
            }
        }

        update_option('typesquare_auth', $use_type);

        if (isset($_POST['show_post_form'])) {
            update_option('show_post_form', sanitize_text_field($_POST['show_post_form']));
        }

        if (isset($_POST['typesquare_fonttheme'])) {
            update_option('typesquare_fonttheme', sanitize_text_field($_POST['typesquare_fonttheme']));
        }
    }
}

Security Fix

--- a/ts-webfonts-for-conoha/admin/class-typesquare-webfonts-admin.php
+++ b/ts-webfonts-for-conoha/admin/class-typesquare-webfonts-admin.php
@@ -10,10 +10,10 @@
 public function save_settings() {
-    if (isset($_POST['fontThemeUseType'])) {
-        $use_type = $_POST['fontThemeUseType'];
-        if ($use_type != '1' && $use_type != '3') {
-            if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'typesquare_settings')) {
-                return;
-            }
-        }
+    if (isset($_POST['fontThemeUseType'])) {
+        if (!current_user_can('manage_options')) {
+            wp_die(__('You do not have sufficient permissions to access this page.'));
+        }
+        check_admin_referer('typesquare_settings_action', 'typesquare_nonce');
+        
+        $use_type = sanitize_text_field($_POST['fontThemeUseType']);
         update_option('typesquare_auth', $use_type);

Exploit Outline

The exploit targets the settings modification logic triggered on `admin_init`. An attacker requires Subscriber-level credentials or must trick an administrator into visiting a malicious page (CSRF). To exploit the vulnerability, the attacker submits a POST request to any administrative endpoint (like /wp-admin/index.php). The payload must include the `fontThemeUseType` parameter set to either '1' or '3', which bypasses the plugin's internal nonce verification. Along with this, the attacker can include the `show_post_form` and `typesquare_fonttheme` parameters to overwrite the plugin's configuration in the `wp_options` table. Because there is no check for the user's capability to manage options, the server processes the update for any authenticated user session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/88002a25-6890-4f8b-8a11-239b59d56672?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database